On 2012-11-02 10:17 , Sebastian Castro wrote:

On 02/11/12 10:05, Juha Saarinen wrote:

...

Are the local open resolvers seen as a problem? [....] I see potential on this for NZRS through InternetNZ to gather the list and start nudging some local administrators.

NCSC (the NZ National Cyber Security Centre) contacted at least some of them during October. I'm not sure where their contact list came from. Possibly they could be asked to talk to Team Cymru as a Trusted Third Party and then make local contact with the remainder? Ewen

On 3/11/12 10:59 AM, Hamish MacEwan wrote:

And I'm a bit confused, "That's a 64 byte query that resulted in a 3,223 byte response." My understanding was at a certain size of response, DNS switched to TCP to return results, but maybe the unsolicited response handshake is accepted blindly?

Presumably when the attacker sends the spoofed queries towards the DNS server, they indicate that they would very much like the response to do the EDNS0 thing - allowing the server to stick to UDP when replying. -Mike

On 3/11/12 12:58 PM, Florent Bouron wrote:

Does someone know how a dns server decides to respond based on the size of the response it's about to send?

I'm asking this question as it doesn't seem possible for a server to switch to tcp. Look at this scenario : - client behind firewall (and or NAT) sends a request via UDP. - server "decides" to answer with tcp and creates a session with the client

The server responds using only UDP to a request received via UDP. If the response is "too large," the TC (truncated) bit is set in the response header, indicating to the client that the response wouldn't fit. Upon receiving a response with TC set, a client could then retry the query using TCP - the connection is established outbound from the client to the server. -Mike

And here is an example of consumer complaining about excessive usage and complaining about his ISP. http://www.geekzone.co.nz/forums.asp?forumid=81&topicid=111127 He then realises his pfsense box is actually servicing DNS requests for his own network - and to the world. He even admits later responses were being sent out to CloudFlare IP addresses, which seems to indicate his DNS was part of those attacks. Slingshot was nice to waive some of the fees. Customers should read the T&Cs where ISPs say they have to keep their devices safe - this is not only from malware but also from misconfigurations introduced by the users themselves... Cheers Mauricio Freitas www.geekzone.co.nz www.freitasm.com www.twitter.com/freitasm -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Hamish MacEwan Sent: Saturday, 3 November 2012 10:59 a.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Open resolvers again On 2 November 2012 10:05, Juha Saarinen wrote:

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

The article notes without elaboration: "In order to increase your attack's volume, you could try and add more compromised machines to your botnet. That is becoming increasingly difficult. " Is that good news, or have botted devices reached saturation? That there aren't any un-botted left to be taken. And I'm a bit confused, "That's a 64 byte query that resulted in a 3,223 byte response." My understanding was at a certain size of response, DNS switched to TCP to return results, but maybe the unsolicited response handshake is accepted blindly?

Juha Saarinen AITTP

Hamish. -- http://hamish.kiwi.me _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

On a related note; I've been running an Urban Terror game server open to the internet at our community house and seeing very high traffic occasionally (mostly outbound, fully saturating our ADSL). It took me longer than it should have to figure out what was going on, seems that the Urban Terror server can be exploited as a UDP traffic amplifier too. http://www.urbanterror.info/forums/topic/27825-drdos/ On 4 November 2012 17:21, Dobbins, Roland wrote:

On Nov 2, 2012, at 4:05 AM, Juha Saarinen wrote:

...

Are the local open resolvers seen as a problem?

A combination of three things enable DNS reflection/amplification attacks:

1. Lack of anti-spoofing deployed at the customer aggregation edge (shameful in 2012).

2. Open DNS recursors (also shameful in 2012).

3. EDNS0 (necessary).

Before going on a chase for open recursors, it would be a wise investment of time and effort to ensure that one has implemented BCP84 anti-spoofing at one's customer aggregation edge. Without the ability to emit spoofed packets, the open recursors can't be abused in this way.

Also note that DNS reflection/amplification attacks can be initiated without utilizing open recursors, simply by sending spoofed packets directly to authoritative servers. So, deploying anti-spoofing should be the priority.

----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com

Luck is the residue of opportunity and design.

-- John Milton

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog