Re: random dns queries with random sources

On 02/20/2014 08:57 AM, Pavel Zeleny wrote: Masataka Ohta necom830.hpcl.titech.ac.jp> writes: Joe Maimon wrote: What is the purpose of this? ... Masataka Ohta Hi guys, for a second, have you any clue how to block this traffic on DNS server

Re: random dns queries with random sources

Masataka Ohta necom830.hpcl.titech.ac.jp> writes: > > Joe Maimon wrote: > > > What is the purpose of this? ... > > Masataka Ohta > Hi guys, for a second, have you any clue how to block this traffic on DNS server side? As our company operates recu

Re: random dns queries with random sources

Joe Maimon wrote: > What is the purpose of this? It may be an experiment that rate limiting is useless to suppress amplification against attacks simultaneously on many targets. A better protection should be to shutdown secure DNS, which is not very secure.

RE: random dns queries with random sources

orth American Networking and Offtopic Gripes List Subject: Re: random dns queries with random sources Beeman, Davis wrote: > rather the authoritative name server in these domains is the rouge DNS server > in use by the bad actor running a botnet. > > Davis Beeman > Network Security E

Re: random dns queries with random sources

Beeman, Davis wrote: rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer Somebody must be registering these domain names. And I should be able to compile a list of the auth servers

Re: random dns queries with random sources

Or if you tell your bots to use a set of open resolvers, it helps hide them by a step. On Wed, Feb 19, 2014 at 8:32 AM, Simon Perreault < simon.perrea...@viagenie.ca> wrote: > Le 2014-02-19 11:28, Dobbins, Roland a écrit : > >> I am late to this train, but it appears no one else has brought this

Re: random dns queries with random sources

Le 2014-02-19 11:28, Dobbins, Roland a écrit : >> I am late to this train, but it appears no one else has brought this up. It >> is a DNS tunneling setup, not an attack. > > This makes a lot of sense - good insight, will look into this further! I use this for free wi-fi in airports and such:

Re: random dns queries with random sources

On Feb 19, 2014, at 10:57 PM, Beeman, Davis wrote: > I am late to this train, but it appears no one else has brought this up. It > is a DNS tunneling setup, not an attack. This makes a lot of sense - good insight, will look into this further! ---

RE: random dns queries with random sources

I am late to this train, but it appears no one else has brought this up. It is a DNS tunneling setup, not an attack. I have been dealing with one of these lately as well. They were using some open resolvers in my network to reflect, but the "random" hostnames in the queries are tunneled traff

Re: random dns queries with random sources

> It has been ongoing for a week or so (but not constant). The domain > names have a pattern but are comprised of components that appear to be > randomly generated. The source IP addresses for the queries appear to be > non duplicated and randomly generated. > > query logs are available for uni

Re: random dns queries with random sources

> Premature send - I meant to add 'Or against the authoritative servers for > 5kkx.com?' > > We've been seeing a spate of reflected (not amplified) DNS attacks against > various authoritative servers in Europe for the past week or so, bounced > through some type of consumer DSL broadband CPE wi

Re: random dns queries with random sources

Hello everyone I can see such crap traffic from over couple of weeks now but yes it appeared all of sudden and I was also wondering if I am alone experiencing it. 2014-02-19 14:30 GMT+08:00 Joe Maimon : > > > Dobbins, Roland wrote: > >> >> On Feb 19, 2014, at 1:07 PM, Joe Maimon wrote: >> >>

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 1:07 PM, Joe Maimon wrote: There are ways to deal with it on resolvers as well, like RRL and IDS and iptables None of these things work well for recursive resolvers; they cause more problems than they solve. Whatever I am doing appears to be

Re: random dns queries with random sources

Owen DeLong wrote: On Feb 18, 2014, at 9:48 PM, Joe Maimon wrote: This assumes several facts not in evidence: 1. It is an attack. 2. It is deliberate 3. There is a target 4. It is more effective than others On what do you base those assumptions? To me this looks to b

Re: random dns queries with random sources

On Feb 19, 2014, at 1:07 PM, Joe Maimon wrote: > There are ways to deal with it on resolvers as well, like RRL and IDS and > iptables None of these things work well for recursive resolvers; they cause more problems than they solve.

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 12:48 PM, Joe Maimon wrote: What I cant figure out is what is the target and how this attack method is any more effective then the others. The target appears to be the authoritative servers for the domain in question, yes? I dont think so, bu

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 12:44 PM, Joe Maimon wrote: Get back to me when the same cant be done with auth servers. There are ways to deal with it on authoritative servers, like RRL. There are ways to deal with it on resolvers as well, like RRL and IDS and iptables an

Re: random dns queries with random sources

On Feb 18, 2014, at 9:48 PM, Joe Maimon wrote: > > > George Herbert wrote: >> Right. Nonzero chances that you (Joe's site) are the target... >> >> Also, check if you have egress filtering of spoofed addresses below these >> DNS resources, between them and any user objects. You could be sour

Re: random dns queries with random sources

On Feb 19, 2014, at 12:48 PM, Joe Maimon wrote: > What I cant figure out is what is the target and how this attack method is > any more effective then the others. The target appears to be the authoritative servers for the domain in question, yes? The attacker may consider it more effective b

Re: random dns queries with random sources

On Feb 19, 2014, at 12:44 PM, Joe Maimon wrote: > Get back to me when the same cant be done with auth servers. There are ways to deal with it on authoritative servers, like RRL. --- Roland Dobbins //

Re: random dns queries with random sources

George Herbert wrote: Right. Nonzero chances that you (Joe's site) are the target... Also, check if you have egress filtering of spoofed addresses below these DNS resources, between them and any user objects. You could be sourcing the spoofing if not... It seems to me that the same|similar

Re: random dns queries with random sources

Doug Barton wrote: On 02/18/2014 07:59 PM, Joe Maimon wrote: Are you running open resolvers? Yes If so, please stop doing that, No it's widely known to be a bad idea for over a decade now, At this point, doing anything on the internet is a bad idea. and you are providing the ba

Re: random dns queries with random sources

On 02/18/2014 07:59 PM, Joe Maimon wrote: Doug Barton wrote: On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug

Re: random dns queries with random sources

On Feb 19, 2014, at 10:48 AM, Christopher Morrow wrote: > apologies. both chl.net and chl.com ... which appear to be parts of ttec ... > which is joe. Premature send - I meant to add 'Or against the authoritative servers for 5kkx.com?' We've been seeing a spate of reflected (not amplified)

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 10:08 AM, Joe Maimon wrote: What is the purpose of this? Resource-exhaustion attack against the recursive DNS? On anything that is going to stay open, not even close.

Re: random dns queries with random sources

Doug Barton wrote: On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug Thousands of queries _from_ thousands o

Re: random dns queries with random sources

Right. Nonzero chances that you (Joe's site) are the target... Also, check if you have egress filtering of spoofed addresses below these DNS resources, between them and any user objects. You could be sourcing the spoofing if not... On Tue, Feb 18, 2014 at 7:44 PM, Dobbins, Roland wrote: > >

Re: random dns queries with random sources

On Tue, Feb 18, 2014 at 10:47 PM, Christopher Morrow wrote: > On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland wrote: >> >> On Feb 19, 2014, at 10:08 AM, Joe Maimon wrote: >> >>> What is the purpose of this? >> >> Resource-exhaustion attack against the recursive DNS? > > so... i could be nuts,

Re: random dns queries with random sources

On Feb 19, 2014, at 10:44 AM, Dobbins, Roland wrote: > Resource-exhaustion attack against the recursive DNS? Fat-finger, sorry - should also state 'Or against the authoritative servers for 5kkx.com?' --- Roland Dobbins //

Re: random dns queries with random sources

On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland wrote: > > On Feb 19, 2014, at 10:08 AM, Joe Maimon wrote: > >> What is the purpose of this? > > Resource-exhaustion attack against the recursive DNS? so... i could be nuts, but in the example joe clipped, the resolved hosts are either: 66.199.13

Re: random dns queries with random sources

On Feb 19, 2014, at 10:32 AM, Joe Maimon wrote: > How is this any more effective then sending it direct? If they're attacking the authoritative DNS servers for 5kkx.com, just reflecting gives them indirection and presumably makes traceback harder for 5kkx.com (at least, in the minds of the at

Re: random dns queries with random sources

On Feb 19, 2014, at 10:08 AM, Joe Maimon wrote: > What is the purpose of this? Resource-exhaustion attack against the recursive DNS? --- Roland Dobbins // Luck is the residue of oppor

Re: random dns queries with random sources

Totally was trying to figure out how to ask the same thing. How exactly are you the POC in this situation? lol On 2/18/14, 7:35 PM, "Doug Barton" wrote: >On 02/18/2014 07:08 PM, Joe Maimon wrote: >> Thousand of queries with thousands of source ip addresses. > >Pardon if I missed a memo, but how

Re: random dns queries with random sources

On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug

Re: random dns queries with random sources

Mark Andrews wrote: What is the purpose of this? Indirect attack on the 5kkx.com servers? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) I have seen dozens of different second level parts. How is this any more effective then s

Re: random dns queries with random sources

I couldn't resolve that domain or subdomains that I tried. If that domain did respond, I'd guess it's tailored to be a large junky response. Varying the qname prevents people from using iptables to block specific queries. On 2/18/2014 10:08 PM, Joe Maimon wrote: Hey all, DNS amplification

Re: random dns queries with random sources

In message <5304201a.3040...@ttec.com>, Joe Maimon writes: > Hey all, > > DNS amplification spoofed source attacks, I get that. I even thought I > was getting mitigation down to acceptable levels. > > But now this. At different times during the previous days and on > different resolvers, route