i-queries the attackers generated as the main
volumetric component of the 'Operation Ababil' attacks (and targeted at Web
servers, go figure).
If anyone has a more cogent explanation, I'd be grateful for clue, thanks!
------
7ce58f8gg>
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
___
dns-operations mailing list
dns-operations@lists.
On May 30, 2014, at 3:36 PM, Roland Dobbins wrote:
> <https://app.box.com/s/r7an1moswtc7ce58f8gg>
btw, there's a little bit of Arbor propaganda in that preso, but it's intended
as an educational presentation. Nobody's trying to
a
far bigger improvement.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
___
dns-operations mailing list
dns-oper
-capture taps,
databases, etc.?
Thanks much!
--
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
_
Farsight' SIE,
> which logs the answers, and have interesting services on the top of it (such
> as DNSDB).
Yes, DNSDB is quite interesting.
Thanks much!
----------
Roland Dobbins // <http://www.arbornetworks.com>
s, hence 'packet-capture'.
;>
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
___
dns-opera
ed up the implementation of operationally useful
collection/analytical systems.
Thanks much!
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
ements?
--
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https
database back-end, yes?
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
___
dns-operati
for
request/response data and perhaps PSAMP-over-IPFIX forwarding of the packets
themselves, with a way to select which packets are selected for forwarding, and
an optional sampler.
------
Roland Dobbins // <http://www.a
ea; still, it would be helpful to understand
why it wasn't implemented in IPFIX, rather than in a custom telemetry format .
. .
------
Roland Dobbins // <http://www.arbornetworks.com>
Equ
l prioritization (a primary
goal of any form of telemetry export should be relatively easy compatibility
with existing collection/analysis systems and the use of formats with which
there's likely going to be some degree of familiarity and experience with same,
in order to maximize the
o remediate the nodes in
question (this could all be scripted, along with a periodic check
which would remove the blacklisting once remediation occurs).
-----------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lis
any given instance.
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
]
Yes. The blacklisting recommendation is for the open resolver
operator who is seeing the queries/responses in question (i.e., the OP
in this thread).
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.
with
clueless vendors in the mid-1990s, and propagated today Confused Information
Systems Security Professionals (CISSPs) and their ilk.
> Any good documentation, pointers?
Slide 153 of this deck:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-------
plification attack traffic. But
fragmentation itself is not a security issue.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
On Sep 13, 2014, at 6:58 PM, Mark Andrews wrote:
> But do force IPv6 to fragment at 1280. This advoids PMTUD.
Personally, I'd rather see pressure on networks to do The Right Thing in terms
of ICMPv6 . . .
;>
--
On Sep 15, 2014, at 6:48 AM, Mark Andrews wrote:
> It is about PMTUD being a bad fit for DNS.
That's fair.
I think a lot of folks are just going to end up manually setting their MTUs to
1280 . . .
------
Roland
pace.
Differing communities of 'interest', IMHO.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
___
On Sep 15, 2014, at 5:52 PM, Tony Finch wrote:
> That is, you need to limit the size of response that you send (max-udp-size
> in BIND terms).
Do you recommend that it be lowered to 1280 or thereabouts for IPv6?
--
On Sep 15, 2014, at 5:52 PM, Tony Finch wrote:
> max-udp-size in BIND terms
btw, my impression is that the OP was asking about network policies, not DNS
server settings - correction welcome if this wasn't the case.
-----
break DNS resolution with regards to EDNS0 and DNSSEC (which requires EDNS0).
As I explained previously, this nonsense about fragmentation being a security
risk of some sort is just that - nonsense.
----------
Roland Dobbins // <htt
tial fragments, or they'll break the Internet for their
customers.
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
t was in response to Florian's - Florian is right that conceptually,
fragmentation as it was implemented is a bag of hurt. But with the TCP/IP
we have, we *must* allow fragments through, or we break the Internet.
-------
Rola
d
> zone) over TCP.
Is it possible that some folks have overzealously misinterpreted Geoff Huston's
article in the latest IPJ?
<http://www.internetsociety.org/sites/default/files/ipj17.1_0.pdf>
------
R
by default?
--
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
___
dns-operations mailing
ke of this - perhaps someone with more clue can weigh in
. . .
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
_
On Oct 11, 2014, at 12:52 AM, Wessels, Duane wrote:
> The request should be processed as though that funny option code were not
> even there.
Maybe the F5 has some kind of 'Invalid DNS Query' filtering function?
-----
On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi
wrote:
> I also cant figure out how to reproduce them with dig...
tcpreplay can be useful for situations like this . . .
<http://sourceforge.net/projects/tcpreplay/>
----
x27;s 'malformed DNS query' scrubbing and see what happens?
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
option code they're using is unassigned, AFAICT.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
_
On Oct 11, 2014, at 1:06 AM, Miek Gieben wrote:
> 20730 is the old edns client subnet code...
This query is using 20732, though . . .
--
Roland Dobbins // <http://www.arbornetworks.com>
Equo n
On Oct 11, 2014, at 4:33 PM, Simon Munton wrote:
> My big concern is if this is an issue in a new release of bind,
Which new release of BIND?
--
Roland Dobbins // <http://www.arbornetworks.com>
vantages.
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
th-Cricket-Liu/dp/0596100574/>
<http://www.amazon.com/DNS-Bind-Cookbook-Cricket-Liu-ebook/dp/B004VB3VFK/>
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oar
h that one must block TCP/53 as well as DNS
responses larger than 512 bytes.
Irrespective of defaults, folks just unquestioningly slap these rules
into place - and then they (or their users) wonder why their DNS is
broken.
-------
, and
SSDP reflection/amplification attacks, too.
Along with ICMP floods, DNS query floods, protocol 0 floods (devices
shouldn't forward them, but they do), protocol 50 floods, http GET
floods, http POST floods, RST floods, et. al.
-------
Rola
urity
posture of said challenges.
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oar
On 15 Dec 2014, at 3:28, Matthew Ghali wrote:
> How does code diversity fix protocol vulns?
+1
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mail
run different software bases?
See above. And 'a bit more challenging' is a significant
understatement, especially at scale.
Worrying about software monoculture at this juncture is like worrying
about urban planning when you don't even have
On 15 Dec 2014, at 5:52, David Conrad wrote:
> Code diversity is to help mitigate implementation bugs.
Sure - but it isn't the be-all, end-all its made out to be, either.
---
Roland Dobbins
___
dns-operations
other thought - it's perfectly possible to
achieve codebase diversity for any given piece of software. The bad
guys do it all the time with metamorphic and polymorphic code for
botnets and malware. Why don't developers of legitimate software -
like, say, ISC or Nominum - do somethin
On 15 Dec 2014, at 9:08, Matthew Ghali wrote:
> Or more likely, have a multiplicative effect instead.
+1
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.
akes a lot more sense than concentrating on software diversity,
in most organizations. Worrying about software diversity is something
to do after you've done just about everything else you can to improve
your security posture.
------
. And
that even in organizations where it makes sense, it ought to be pretty
low in terms of relative prioritization.
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.
On 16 Dec 2014, at 6:25, Edward Lewis wrote:
My recommendation for a service provider stick with one code base and
learn to run it well. My recommendation for a customer of such a
provider
use two or more service providers
+1
---
Roland Dobbins
<https://www.icann.org/news/announcement-2-2014-12-16-en>
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dn
/0636920034148.do>
<http://shop.oreilly.com/product/0636920020158.do>
-----------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs maili
Thanks much!
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman
ou have any way to contact some of the user population exhibiting
this behavior, and to ask if they're running some Firefox extensions
which may be causing this?
-------
Roland Dobbins
___
dns-operations mailing
On 27 Feb 2015, at 15:03, abang wrote:
FF queries A, *and* ANY.
Sounds as if someone needs to have a serious chat with the Mozilla
Foundation. Start by filing a bug, then escalate.
---
Roland Dobbins
fat-fingers an ACL or a routing statement or a firewall rule or
whatever, all recursive DNS is hosed.
So, anycasting *two* IP addresses (on differing netblocks) is probably
warranted.
---
Roland Dobbins
___
dns
esses instead of one, why
not go ahead and do so?
And to go further, why not assign one as the first recursor and the
other as the second recursor with ~50% of any endpoints under one's own
span of control, and then reverse the order for the other 50%?
-------
Rola
time until they're finally fixed that even in
this context, having another address which can be used for recursive DNS
service makes sense to me.
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations
On 18 Apr 2015, at 16:32, Noel Butler wrote:
and the problem would be identified and fixed much faster than if it
was by your assumptions.
I'm not assuming anything; I'm reporting directly observed experience.
YMMV.
shrug<
-------
R
wall rules, etc.
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
On 27 Apr 2015, at 8:09, Randy Bush wrote:
> sources and dests are widely distributed.
What do the queries look like? Any patterns you can seine out?
If it's running BIND, try turning on RRL.
---
Roland
On 27 Apr 2015, at 11:47, Randy Bush wrote:
pointers appreciated.
Back in the day, I used Sawmill. Spunk is pretty good, too.
I've heard good things about
<https://github.com/tommyblue/Bind-Log-Analyzer>, but never used it,
myself.
-------
Rol
reflection/amplification
attacks with limited numbers of queries for each one, and once you're on
the list of open recursives, you still get pummeled every so often even
after remediation/even if you weren't recursive in the first place.
-------
Rola
nding attacks are for A records, AFAIK.
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://list
ations are Doing It Wrong.
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/
#x27;s an example of how I try to propagandize against this kind of
thing, FWIW (see p.156):
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.
On 27 May 2015, at 20:39, Roland Dobbins wrote:
I don't understand the bases behind the assumption that DDoS scrubbing
services are a factor in EDNS0 failure?
doh, it was pointed out to me that we're talking about EDNS(1), not
EDNS0. Apologies for my confusion.
I haven't
This.
---
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
mal impact.
Hopefully, this lesson will not be lost on them.
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing
has little experience mitigating actual DDoS
attacks of any significance against production systems.
-------
Roland Dobbins
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.n
68 matches
Mail list logo
