[nsp-sec] 5Gbit DNS Reflection/amplication DoS (AS3356 AS4323, AS3257, AS6461)
Smith, Donald
Donald.Smith at qwest.com
Fri Jan 23 14:43:21 EST 2009
Phil , is it reasonable to say:
76.9.31.42 and 76.9.16.171 do not make outbound dns
requests.
So an inbound filter of packets towards udp port 53 from
either of these two sources mitigates the
reflective element towards those two ip addresses.
66.230.128.15 and 66.230.160.1 are authoritative name servers.
They do not make outbound DNS requests other then to TLDs, GLDs and Roots so
filtering requests towards your IPs from these ips with a
destination port of 53 should block the reflective dns ddos attack.
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Phil Rosenthal
> Sent: Wednesday, January 21, 2009 12:52 PM
> To: NSP Security List
> Subject: [nsp-sec] 5Gbit DNS Reflection/amplication DoS
> (AS3356 AS4323,AS3257, AS6461)
>
> ----------- nsp-security Confidential --------
>
> Hello,
>
> We are receiving a pretty large DDoS attack on our nameservers, ns/
> ns2.isprime.com
>
> You can see an incident report on SANS about it for a little
> bit more
> information:
> http://isc.sans.org/diary.html?storyid=5713
>
> We've done a bit of effort to backtrace as much as we could,
> though we
> are at the mercy of Level3 at this point, who thus far has not made
> any progress in backtracing anything.
>
> Speaking to other hosts privately who were receiving the spoofed
> stream towards their nameservers, they generally backtrace to (in
> order) Time Warner Telecom/4323, Level3/3356, Tiscali/3257, and
> Abovenet/6461
>
> Further, one of the nameservers was anycasted, and gives a strong
> suggestion that the spoofed packets are coming from somewhere on the
> USA East Coast, and likely a single source.
>
> If anyone has any ability to backtrace this, I'd appreciate it.
>
> The pattern should match:
> source ip 66.230.128.15 and 66.230.160.1
> source port is random, but NOT 53
> dest port 53
> protocol udp
>
> If you can't specifically only look for destination port 53,
> you will
> be looking at reflections, which won't be useful.
>
> Please do not blackhole these ip's as they are live production
> nameservers with many popular domains hosted on them.
>
> Thanks,
> -Phil
> AS23393
> ISPrime
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list