Re: Tightened DNS security question re: DNS amplification attacks.

On 2009-01-29 at 14:01 +0100, Florian Weimer wrote: > * Mark Andrews: > > The most common reason for recursive queries to a authoritative > > server is someone using dig, nslookup or similar and forgeting > > to disable recursion on the request. Useful to know, thanks. So someone perf

Re: Tightened DNS security question re: DNS amplification attacks.

* Mark Andrews: > The most common reason for recursive queries to a authoritative > server is someone using dig, nslookup or similar and forgeting > to disable recursion on the request. dnscache in "forward only" mode also sets the RD bit, and apparently does not restrict itself

Re: Tightened DNS security question re: DNS amplification attacks.

In message <20090128232123.ga66...@redoubt.spodhuis.org>, Phil Pennock writes: > Sorry to follow up to myself; a few more moments reviewing before > sending were warranted. > > On 2009-01-28 at 15:11 -0800, Phil Pennock wrote: > > I'd be perfectly happy to have X list every root server, gTLD serv

Re: Tightened DNS security question re: DNS amplification attacks.

The bad guys want amplification but will take obscuring if that's all they can get. RD=1 is only the signature of the current attack. RD=0 is equally viable. Can you cope with "RD=0 NS ." directed to the root servers from forged addresses? This i

Re: Tightened DNS security question re: DNS amplification attacks.

At 09:21 PM 1/27/2009, Paul Vixie wrote: "Douglas C. Stephens" writes: > ... > I choose the latter, and that is why went to the effort of blocking this > abusive traffic before it reaches my authoritative-only DNS servers. this is an odd implementation choice. the 1PPS query stream is still u

Re: Tightened DNS security question re: DNS amplification attacks.

Paul Vixie wrote: have been able to bind a reputation to an IP address and act in some way based on that reputation because TCP more or less requires that a real IP address be used. we're seeing cracks at the edges of this model now, because so many core routers have login: cisco; password: cisc

Re: Tightened DNS security question re: DNS amplification attacks.

Sorry to follow up to myself; a few more moments reviewing before sending were warranted. On 2009-01-28 at 15:11 -0800, Phil Pennock wrote: > I'd be perfectly happy to have X list every root server, gTLD server and > ccTLD server, as a starting point, on the basis that none of those > should ever

Re: Tightened DNS security question re: DNS amplification attacks.

On 2009-01-28 at 19:30 +, Paul Vixie wrote: > DNS-oriented attacks are of a completely different kind. today's attacks were > precisely described in > > (which wasn't news in october 2002 but somebody had to write it down so i > did).

Re: Tightened DNS security question re: DNS amplification attacks.

> - Original Message - > From: "aljuhani" > Subject: Re: Tightened DNS security question re: DNS amplification > attacks. > To: "nanog" > > Well the RBLs, in using dns queries, is another form of legal DDoS attacks, > mainly when the

Re: Tightened DNS security question re: DNS amplification attacks.

Paul Vixie wrote: note, i'm speaking as a concerned internet citizen here, not as an ARIN trustee or as ISC's president. i really want to know if folks would be willing to shun eachother not on the basis of evil but rather complacency. The real question is, would the endpoints be willing to

Re: Tightened DNS security question re: DNS amplification attacks.

> Pretty soon we need an RBL for DNS-oriented DDoS attacks. =) in the classic sense, you're wrong. in a neoclassic sense: "maybe". let me explain. the original RBL was designed to reject TCP/25 (SMTP) transactions based on source address reputation. we had a false start where we blackholed the

Re: Tightened DNS security question re: DNS amplification attacks.

This, in a thread where paul vixie is posting .. and on a list where there are several people who do run professional blocklists. Well, I dare say there'll be some difference of opinion. Cant help that. On Wed, Jan 28, 2009 at 8:48 PM, aljuhani wrote: > > Well the RBLs, in using dns queries, is

Re: Tightened DNS security question re: DNS amplification attacks.

. - Original Message - From: "Frank Bulk" To: "'Paul Vixie'" ; Sent: Wednesday, January 28, 2009 18:02 Subject: RE: Tightened DNS security question re: DNS amplification attacks. | Pretty soon we need an RBL for DNS-oriented DDoS attacks. =) | | -Orig

RE: Tightened DNS security question re: DNS amplification attacks.

Pretty soon we need an RBL for DNS-oriented DDoS attacks. =) -Original Message- From: Paul Vixie [mailto:vi...@isc.org] Sent: Tuesday, January 27, 2009 9:21 PM To: na...@merit.edu Subject: Re: Tightened DNS security question re: DNS amplification attacks. "Douglas C. Stephens&quo

Re: Tightened DNS security question re: DNS amplification attacks.

Hi On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote: > At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98. > At 12:09:36 another new address 64.57.246.123 > At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like: > "pjphcdfwudgaaabaaac

Re: Tightened DNS security question re: DNS amplification attacks.

You all may wish to check your logs for 202.108.12.112, it could be a new target; although I only saw two requests from it. -- Charles Morris cmor...@cs.odu.edu, cmor...@occs.odu.edu Network Security Administrator, Software Developer Office of Computing and Communications Services

Re: Tightened DNS security question re: DNS amplification attacks.

At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98. At 12:09:36 another new address 64.57.246.123 At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like: "pjphcdfwudgaaabaaacboinf". This ended at 12:55:01 when it was back to just ask for the .NS

Re: Tightened DNS security question re: DNS amplification attacks.

Once upon a time, David Andersen said: > Actually, ". IN NS" is a particularly useful thing for them to do, > because it's an almost globally guaranteed response that will get a > large response and be in cache. That's only true on servers that aren't well-configured. > ". IN NS", of course,

RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED]

l probably determine this so let us know what behavior you find. DZ -Original Message- From: Steve Bertrand [mailto:st...@ibctech.ca] Sent: Wednesday, 28 January 2009 2:47 PM To: David Zielezna Cc: John Martinez; nanog@nanog.org Subject: Re: Tightened DNS security question re: DNS amplificati

Re: Tightened DNS security question re: DNS amplification attacks.

On Jan 27, 2009, at 10:21 PM, Paul Vixie wrote: (looking for ". IN NS" as the q-tuple pattern is not a solution, since the bad guys can pretty trivially change the question they ask into one you're willing to answer.) Actually, ". IN NS" is a particularly useful thing for them to do,

RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED]

by hand. DZ -Original Message- From: John Martinez [mailto:jmarti...@zero11.com] Sent: Wednesday, 28 January 2009 11:59 AM Cc: nanog@nanog.org Subject: Re: Tightened DNS security question re: DNS amplification attacks. Are we still seeing DNS DDoS attack? If you have received this

Re: Tightened DNS security question re: DNS amplification attacks.

"Douglas C. Stephens" writes: > ... > I choose the latter, and that is why went to the effort of blocking this > abusive traffic before it reaches my authoritative-only DNS servers. this is an odd implementation choice. the 1PPS query stream is still using your line even with this defense in pl

Re: Tightened DNS security question re: DNS amplification attacks.

In message , Steve Pirk writes : > On Wed, 28 Jan 2009, j...@miscreant.org wrote: > > > Quoting John Martinez : > > > >> Are we still seeing DNS DDoS attack? > > > > Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146. > > > > Also seeing requests from 76.9.16.171 every 1 minute 2 seconds. >

Re: Tightened DNS security question re: DNS amplification attacks.

On Wed, 28 Jan 2009, j...@miscreant.org wrote: Quoting John Martinez : Are we still seeing DNS DDoS attack? Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146. Also seeing requests from 76.9.16.171 every 1 minute 2 seconds. I run a small personal nameserver and even I am seeing requ

Re: Tightened DNS security question re: DNS amplification attacks.

Quoting John Martinez : Are we still seeing DNS DDoS attack? Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146. Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.

Re: Tightened DNS security question re: DNS amplification attacks.

On Wed, Jan 28, 2009 at 10:36:29AM +1100, Mark Andrews wrote: > < ... snip ... > > > deny udp host 64.57.246.146 neq 53 any eq 53 > > Which pre-supposes that 64.57.246.146 os not emitting queries of > its own. > BCP 140 looked at this problem and concluded that sending > REF

Re: Tightened DNS security question re: DNS amplification attacks.

Mark Andrews wrote: > In message <6.2.3.4.2.20090127162808.02d4a...@imap.ameslab.gov>, "Douglas C. > St > ephens" writes: >> At 03:16 PM 1/27/2009, Nate Itkin wrote: >>> On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote: < ... snip ... > dns queries to the . hint file are

Re: Tightened DNS security question re: DNS amplification attacks.

In message <6.2.3.4.2.20090127162808.02d4a...@imap.ameslab.gov>, "Douglas C. St ephens" writes: > At 03:16 PM 1/27/2009, Nate Itkin wrote: > >On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote: > > > < ... snip ... > > > > dns queries to the . hint file > > > are still occuring and are n

Re: Tightened DNS security question re: DNS amplification attacks.

At 03:16 PM 1/27/2009, Nate Itkin wrote: On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote: > < ... snip ... > > dns queries to the . hint file > are still occuring and are not being denied by our servers. For example: > 27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: vie

Re: Tightened DNS security question re: DNS amplification attacks.

In message <200901272116.n0rlgija002...@ns1.konadogs.net>, Nate Itkin writes: > On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote: > > < ... snip ... > > > dns queries to the . hint file > > are still occuring and are not being denied by our servers. For example: > > 27-Jan-2009 15:00:2

Re: Tightened DNS security question re: DNS amplification attacks.

Quoting Matthew Huff : Given the recent DNS amplification attacks, I've audit and updated our authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrmu templates, but one thing I see is that the dns queries to the . hint file are still occuring and are not being denied by our s

Re: Tightened DNS security question re: DNS amplification attacks.

On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote: > < ... snip ... > > dns queries to the . hint file > are still occuring and are not being denied by our servers. For example: > 27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view > external-in: query: . IN NS + > < ... s

Tightened DNS security question re: DNS amplification attacks.

Given the recent DNS amplification attacks, I've audit and updated our authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrmu templates, but one thing I see is that the dns queries to the . hint file are still occuring and are not being denied by our servers. For example: 27-J