[nsp-sec] dns issues?

Jim Carhart jcarhart at security.rr.com
Thu Feb 26 16:19:28 EST 2009 

The issue was a dedicate DoS from LA customer-based machines against LA
load-balanced DNS resources. Each attack was with increasing number of
machines. Pure DoS attempts, some mal-formed DNS packets, many legit in
form. Most pure DNS resolve calls, no cache poisoning seen.

Nuff said in public (as public as NSP can be) I guess.

Speak to me offline if you would like to get in touch with TWC personnel
other than me with hands-on experience.

- Jim "I hear you on the spidy sense thing" Carhart

Mike Lewinski wrote:
> ----------- nsp-security Confidential --------
> 
> Perhaps these issues are all unrelated, but my spider sense is starting
> to tingle...
> 
> 
> 1) Last week we had a customer start complaining about periodic timeouts
> on one of our resolvers. I'm still investigating it, but it seems to
> have resolved itself without any changes here. What is really strange is
> that in my packet captures I can see BIND do the full recursion that is
> requested, but it simply never sends a reply back to the customer's
> original query while answering other queries at the same time without a
> problem (and they are using a nagios test to lookup their own www A
> record).
> 
> 2) Yesterday another customer discovered his own resolver cache was
> poisoned, and his access to some web sites was being proxied through
> vipertheripper.com
> 
> 3) This morning Comcast DNS in Denver was positively glacial. I've never
> had such laggy responses from them. At first I thought the whole
> connection might be down, but I had some already established connections
> that were still working. Once I started routing DNS back through my VPN
> everything worked fine again.
> 
> 4) And now I've just read this:
> http://arstechnica.com/security/news/2009/02/time-warner-cable-blames-ddos-attack-for-spotty-service.ars
> 
> 
> Mike
> 
> 

-- 
 ======================================================================
 Jim Carhart                                  james.carhart at twcable.com
 Director of Security                               Voice: 703.345.3192
 TWC Road Runner LLC                                 Cell: 571.236.7668
 ======================================================================

More information about the nsp-security mailing list