[nsp-sec] 5Gbit DNS Reflection/amplication DoS (AS3356 AS4323, AS3257, AS6461)

Phil Rosenthal pr at isprime.com
Fri Jan 23 14:49:13 EST 2009 

At this point, we aren't seeing more than a residual level of attack  
packets, so it's probably not worth it to filter anything on these IPs.

Regarding 76.9.31.42 and 76.9.16.171, correct.

Regarding 128.15 and 160.1,
An ACL or Firewall similar to:
access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53
access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53
Is what you would have wanted. At this point though, It's probably  
pointless to apply.

The botnet is now attacking 63.217.28.226, a PCCWBTN IP. I don't  
represent PCCWBTN, so I can't speak for what they would like done/not  
done.

-Phil


On Jan 23, 2009, at 2:43 PM, Smith, Donald wrote:

> Phil , is it reasonable to say:
>
> 76.9.31.42 and 76.9.16.171 do not make outbound dns
> requests.
> So an inbound filter of packets towards udp port 53 from
> either of these two sources mitigates the
> reflective element towards those two ip addresses.
>
>
> 66.230.128.15 and 66.230.160.1 are authoritative name servers.
> They do not make outbound DNS requests other then to TLDs, GLDs and  
> Roots so
> filtering requests towards your IPs from these ips with a
> destination port of 53 should block the reflective dns ddos attack.
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Phil Rosenthal
>> Sent: Wednesday, January 21, 2009 12:52 PM
>> To: NSP Security List
>> Subject: [nsp-sec] 5Gbit DNS Reflection/amplication DoS
>> (AS3356 AS4323,AS3257, AS6461)
>>
>> ----------- nsp-security Confidential --------
>>
>> Hello,
>>
>> We are receiving a pretty large DDoS attack on our nameservers, ns/
>> ns2.isprime.com
>>
>> You can see an incident report on SANS about it for a little
>> bit more
>> information:
>> http://isc.sans.org/diary.html?storyid=5713
>>
>> We've done a bit of effort to backtrace as much as we could,
>> though we
>> are at the mercy of Level3 at this point, who thus far has not made
>> any progress in backtracing anything.
>>
>> Speaking to other hosts privately who were receiving the spoofed
>> stream towards their nameservers, they generally backtrace to (in
>> order) Time Warner Telecom/4323, Level3/3356, Tiscali/3257, and
>> Abovenet/6461
>>
>> Further, one of the nameservers was anycasted, and gives a strong
>> suggestion that the spoofed packets are coming from somewhere on the
>> USA East Coast, and likely a single source.
>>
>> If anyone has any ability to backtrace this, I'd appreciate it.
>>
>> The pattern should match:
>> source ip 66.230.128.15 and 66.230.160.1
>> source port is random, but NOT 53
>> dest port 53
>> protocol udp
>>
>> If you can't specifically only look for destination port 53,
>> you will
>> be looking at reflections, which won't be useful.
>>
>> Please do not blackhole these ip's as they are live production
>> nameservers with many popular domains hosted on them.
>>
>> Thanks,
>> -Phil
>> AS23393
>> ISPrime
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>

More information about the nsp-security mailing list