Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

> EPP I won't even bother with the disclaimer that I don't represent my employer because a) this is a personal account and b) I know our CTO knows a lot about this and doesn't agree with me... in fact I'll go so far as to say that if there's nothing to talk about and you want to kill time, argue w

Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

On 12 sep 2012, at 03:00, Joe Abley wrote: > The registry requirement is that a host object exist before a domain object > is linked to it (this is the NET registry we're talking about; other TLD > registries can be and are different). Further, a host object with a > nameserver whose name is

Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

A little more about what Joe was saying (I agree with him completely). On Tue, Sep 11, 2012 at 09:00:58PM -0400, Joe Abley wrote: > The registry requirement is that a host object exist before a domain > object is linked to it (this is the NET registry we're talking > about; other TLD registries

Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

On 2012-09-11, at 20:36, George Michaelson wrote: > On 12/09/2012, at 10:27 AM, Mark Jeftovic wrote: > >> I don't understand this, they are saying they will only do this for >> domains under their management, implying that this domain isn't. > > Yes. I am saying that using their GUI, to manag

Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

On 12/09/2012, at 10:27 AM, Mark Jeftovic wrote: > I don't understand this, they are saying they will only do this for > domains under their management, implying that this domain isn't. Yes. I am saying that using their GUI, to manage a domain which is managed with them, they limit NS to 1) i

Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

I don't understand this, they are saying they will only do this for domains under their management, implying that this domain isn't. But you later say, only godaddy can modify the whois record for this domain, which means godaddy is the registrar of record. So you do this through the registrar of

Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

On 2012-09-11, at 20:13, George Michaelson wrote: > this is more tending to the provisioning and the registrar requirements side > of things, than DNS on the wire. > > I recently wrote to godaddy asking why they refused to let me specify > arbitrary NS against my domain. The real answer depe

Re: [dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

I've been hit with a clue-stick that this behaviour is 5+ years old and understood. As a *CONSUMER* of DNS services, I admit to some shock. But I won't pretend I can prove "its wrong". so basic rules for NS now include WHOIS defined NS must exist inside some registrar. WHOIS defined NS cannot

[dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

this is more tending to the provisioning and the registrar requirements side of things, than DNS on the wire. I recently wrote to godaddy asking why they refused to let me specify arbitrary NS against my domain. Their answer is quite succinct: Dear George, Thank you for conta

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

> From: Eric Osterweil > Fair enough, except I'm pretty sure some of the deployment being > talked about (even in this thread) is at the authority (not the > resolver)... > > Paul Vixie and I are not advocating DNS rate limiting in firewalls. > > We're talking about rate limiting in the hosts

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

On Sep 11, 2012, at 5:00 PM, Vernon Schryver wrote: >> From: Eric Osterweil > > >> So, I don't understand something... If you see a lot of identical >> responses from an authority, could that not be because it is an authority >> for those responses? How do you distinguish a netblock with m

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

> From: Eric Osterweil > > That computation might be correct if DNS clients did not retransmit, > > if the BIND RRL idea involved only discarding responses, > > and if Paul and I proposed dropping 99% of all traffic for a CIDR block. > > We advocate none of that. > > Hmm.. I may still be missing

Re: [dns-operations] DoS with amplification: yet another funny Unix script

> From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= > > Any firewall rule that doesn't compute DNS responses about as good as a > > DNS server is simplisitic. > > With the greatest of respect; that thinking is itself simplistic. > Where I work we concentrate on writing very good firewalls. Sometimes >

Re: [dns-operations] DoS with amplification: yet another funny Unix script

On Tue, Sep 11, 2012 at 12:45 PM, Phil Regnauld wrote: >> During real attacks, if a packet makes it to the dns server, the game is >> already lost. > > If you've got a cluster of anycast boxes behind a set of stateful > firewalls, chances are you'll run out of states way before you

Re: [dns-operations] DoS with amplification: yet another funny Unix script

Colm MacCárthaigh (colm) writes: > > With the greatest of respect; that thinking is itself simplistic. > Where I work we concentrate on writing very good firewalls. Sometimes > these rules even have to parse DNS, just as the DNS server must ... > which causes duplication of work. We do this for se

Re: [dns-operations] DoS with amplification: yet another funny Unix script

On Sep 11, 2012, at 11:38 PM, Vernon Schryver wrote: > I fear that the technical note linked from that page fails to emphasize > enough the drawbacks of firewall defenses against DNS reflection attacks Beyond the DNS-specific issues cited, putting stateful firewalls in front of *any* server, m

Re: [dns-operations] DoS with amplification: yet another funny Unix script

+--On 10 septembre 2012 16:41:11 +0200 Laurent Frigault wrote: | Instead of working on the DNS answer, I try a modified version based on | the query on one of my DNS servers : I did that to begin with, the problem is that libpcap sees the packets blocked by pf, so it never ends, on the other side

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

Hey Vernon, On Sep 11, 2012, at 11:29 AM, Vernon Schryver wrote: >> From: Eric Osterweil > >> So, can I just make sure I understand the RRL idea? If, under >> non-attack circumstances, I get a traffic rate of `r' from a given >> subnet, but an amplification attack sends me `99*r' (causing a to

Re: [dns-operations] DoS with amplification: yet another funny Unix script

On Tue, Sep 11, 2012 at 9:38 AM, Vernon Schryver wrote: >> From: Klaus Darilion > >> On 10.09.2012 19:48, Paul Vixie wrote: >> > please don't do, or promulgate, this. ddos filtering in order to do more >> > good than harm has to be based on the attack's answer, not on its query. > >> > vernon sch

Re: [dns-operations] Go Daddy is down

On 11 September 2012 13:55, Simon Munton wrote: > http://www.youtube.com/watch?v=SW_0s3kYT24 > > Counter statement - take your pick > > > If they have an anycast DNS network with nodes all over the world, each > peering into different IX's through different routers, its hard to see how a > single

Re: [dns-operations] PIR's (.org) Web site looks… default...

On Mon, Sep 10, 2012 at 11:38 PM, Peter Losher wrote: > On Sep 10, 2012, at 8:27 PM, Peter Losher wrote: > >> 10 ip-50-63-189-22.ip.secureserver.net (50.63.189.22) 76.068 ms 76.594 ms >> 75.694 ms > > That explains it - it's on a GoDaddy host. (secureserver.net is one of > GoDaddy's properti

Re: [dns-operations] Go Daddy is down

That youtube video is from December 2011, probably not related. -DMM On 9/11/2012 1:55 PM, Simon Munton wrote: > http://www.youtube.com/watch?v=SW_0s3kYT24 > > Counter statement - take your pick > > > If they have an anycast DNS network with nodes all over the world, each > peering into differ

Re: [dns-operations] DoS with amplification: yet another funny Unix script

> From: Klaus Darilion > On 10.09.2012 19:48, Paul Vixie wrote: > > please don't do, or promulgate, this. ddos filtering in order to do more > > good than harm has to be based on the attack's answer, not on its query. > > vernon schryver and i explain this in the technical note at > >

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

Robert Schwartz wrote: > > The other interesting thing I noticed about the attack packets, is that > the source port and transaction ID are transposed. This could be used to > finger print the abusive packets. Here's a few lines from our TinyDNS > log (domain names removed and time-codes converted

Re: [dns-operations] Go Daddy is down

http://www.youtube.com/watch?v=SW_0s3kYT24 Counter statement - take your pick If they have an anycast DNS network with nodes all over the world, each peering into different IX's through different routers, its hard to see how a single router issue could take all nodes out - but not impossible

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

On 10-Sep-2012, Robert Schwartz sent: > We run a bunch of authoritative servers and have recently observed activity > best described in a post we found here: > https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261 > > Using the iptables rules posted as a comment by Network M

Re: [dns-operations] Go Daddy is down

They've issued a statement explaining the outage http://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410 Seemingly nothing to do with hackers or DDOS .. -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknig

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

At least for single to a few domains, authoritative DNS servers, maybe the "better approach" would be what a previous poster said they were implementing: "Identifying the anomalies", if it could be fully automated? My assumption being that each public facing DNS server would be seeing some sort of

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

On 11.09.2012 17:09, Robert Schwartz wrote: The other interesting thing I noticed about the attack packets, is that the source port and transaction ID are transposed. This could be used to finger print the abusive packets. Here's a few lines from our TinyDNS log (domain names removed and time-c

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

> From: Eric Osterweil > So, can I just make sure I understand the RRL idea? If, under > non-attack circumstances, I get a traffic rate of `r' from a given > subnet, but an amplification attack sends me `99*r' (causing a total > traffic rate of `100*r'), then I should rate limit? So, my back of

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

Hi All - Thanks for all the great responses. I'm glad to hear I'm not the only one seeing this type of activity! @Paul - Yes, I read about RRL on this list before, but like Mohamed, I'm not using BIND. (We're running TinyDNS) @Hauke - In our case, all the requests are for domains we are authorita

Re: [dns-operations] Pinging the root name servers to check my connectivity?

> From: Stephane Bortzmeyer > > anyone who wants reliable connectivity testing (should use monitor reflectors they 'own' including contracted services including paid for in kind) > This leaves out the case of "Mom & Pop monitoring". Of course, my > employer contracts for reliable monitoring tar

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Sep 11, 2012, at 9:27 AM, wbr...@e1b.org wrote: > Jeroen Massar wrote on 09/11/2012 09:06:55 AM: > > >> Or should be building into a product... > > Given the slight odds of them getting it correct, I'd agree with that. Obligatory reference to what happens when CPE vendors decide to use a

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

On Sep 11, 2012, at 1:40 AM, Paul Vixie wrote: > On 2012-09-11 5:36 AM, Mohamed Lrhazi wrote: >> Nope. I have not, and am not using BIND unfortunately. But I guess you >> are saying: Limit responses to any client to some number per some time >> window. >> >> What would be an appropriate number,

Re: [dns-operations] PIR's (.org) Web site looks… default...

On Mon, Sep 10, 2012 at 11:38 PM, Peter Losher wrote: > On Sep 10, 2012, at 8:27 PM, Peter Losher wrote: > >> 10 ip-50-63-189-22.ip.secureserver.net (50.63.189.22) 76.068 ms 76.594 ms >> 75.694 ms > > That explains it - it's on a GoDaddy host. (secureserver.net is one of > GoDaddy's properti

Re: [dns-operations] Pinging the root name servers to check my connectivity?

Jeroen Massar wrote on 09/11/2012 09:06:55 AM: > Or should be building into a product... Given the slight odds of them getting it correct, I'd agree with that. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is i

Re: [dns-operations] DoS with amplification: yet another funny Unix script

Hi Paul! On 10.09.2012 19:48, Paul Vixie wrote: please don't do, or promulgate, this. ddos filtering in order to do more good than harm has to be based on the attack's answer, not on its query. see also the three flaws identified above, which also apply here. (so, your approach has four, adding

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On 2012-09-11 15:01 , wbr...@e1b.org wrote: [..] > Of course this scenario is not something a manufacturer like DLink or > Linksys/Cisco can build into a product easily. Or should be building into a product... I have seen numerous of those small boxes cause all kinds of havoc already as the 'test

Re: [dns-operations] Pinging the root name servers to check my connectivity?

Stephane Bortzmeyer wrote on 09/11/2012 08:38:40 AM: > This leaves out the case of "Mom & Pop monitoring". Of course, my > employer contracts for reliable monitoring targets. But the small > SOHO? I'm reposting something I meant to send to the list, but sent to Stephane privately. He blogged a

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Mon, Sep 10, 2012 at 08:04:49PM +, paul vixie wrote a message of 25 lines which said: > anyone who wants reliable connectivity testing This leaves out the case of "Mom & Pop monitoring". Of course, my employer contracts for reliable monitoring targets. But the small SOHO? _

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Mon, Sep 10, 2012 at 09:57:48PM +0200, Phil Regnauld wrote a message of 15 lines which said: > How is that different from ping the increasingly ubiquitious L > and F-root ? Root name servers are critical: if you disrupt them, many kittens will be killed. AS112 servers are very

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

On 11.09.2012 05:52, Robert Schwartz wrote: > The question I have for you all is: Is this something affecting other > operators? How have you been dealing with it? The largest attack came in at >20k queries/second at one of our authoritative servers and frequently crashed the Realtek NIC and/or d

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

Robert Schwartz wrote: > > The question I have for you all is: Is this something affecting other > operators? How have you been dealing with it? Yes, this is affecting the cam.ac.uk authoritative name servers and I know of a few others. We're using the BIND RRL patch, amongst other mitigations. S

Re: [dns-operations] DNS ANY record queries - Reflection Attacks

My methodology is simple, analyze and ban :) First Part  + Baseline = Identifying the anomalies      * Using latency monitor .         -> smokeping, In-house scripts instead of dig I prefer using Net::DNS for the customizable outout, etc... . * Ratio of dns-query/dns-response (in/out  mbps