[nsp-sec] Speaking of DNS DDoS ... 67.21.67.126 getting love.

Smith, Donald Donald.Smith at qwest.com
Thu Apr 9 17:16:43 EDT 2009 

The cisco guard has several things it can do for dns.
Things MAY have changed since I last reviewed that product:)

It can block malformed queries, it can set the truncate bit hoping for a tcp connection which it can "authenticate" to build a white list and it can use EDNS0 to "authenticate" again building a white list/ black list.

You can't really do any of that when your seeing these spoofed replies.
You should be able to rate limit to mitigate these attacks.
If you have DPI ability you could block the responses based on the content.



(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Hank Nussbacher
> Sent: Thursday, April 09, 2009 12:04 PM
> To: Scott A. McIntyre
> Cc: NSP-SEC List
> Subject: Re: [nsp-sec] Speaking of DNS DDoS ... 67.21.67.126 
> getting love.
> 
> ----------- nsp-security Confidential --------
> 
> On Thu, 9 Apr 2009, Scott A. McIntyre wrote:
> 
> I am curious whether the Cisco Guard can mitigate these attacks?
> 
> Thanks,
> Hank
> 
> > ----------- nsp-security Confidential --------
> >
> > Hi,
> >
> > About an hour ago we started seeing a pretty big uptick in 
> packets heading 
> > for 67.21.67.126 -- Usual MO, spoofed sources in a DNS 
> amplification attack. 
> > Domain being queried is:
> >
> >
> > turan-online.info
> >
> >
> > TXT records:
> >
> > ;; ANSWER SECTION:
> > turan-online.info.	824086	IN	TXT 
> > 
> "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
> jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj"
> > turan-online.info.	824086	IN	TXT 
> > 
> "nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
> nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn"
> > turan-online.info.	824086	IN	TXT 
> > 
> "sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
> sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"
> >
> >
> > And so on.
> >
> > 2009-04-09 05:53:58.506 UTC+0200 is the start time here.
> >
> > We're seeing about 8-9000 packets per second of the spoofed 
> queries, so I can 
> > imagine the total pain is pretty reasonable.  Target:
> >
> > AS      | IP               | AS Name
> > 46844   | 67.21.67.126     | ST-BGP - SHARKTECH INTERNET SERVICES
> >
> > You may want to check for flows from open/recursive 
> resolvers which are 
> > adding to the attack.
> >
> > Authoritative NS hosts for turan-online.info are:
> >
> > AS      | IP               | AS Name
> > 21448   | 195.69.95.204    | MWIL 
> ==========================================
> > 21448   | 195.69.95.114    | MWIL 
> ==========================================
> > 21448   | 195.69.95.112    | MWIL 
> ==========================================
> >
> >
> > Regards,
> >
> > Scott A. McIntyre
> > XS4ALL Internet
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security 
> > counter-measures.
> > _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>

More information about the nsp-security mailing list