[nsp-sec] namespace4u.de

Fri Mar 27 12:31:10 EDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Weimer wrote:
> * John Fraizer:
> 
>> I've got several hundred hosts that decided that they wanted to start
>> beating up on namespace4you.de on Thursday.  They were doing several
>> thousand queries a second for [random].namespace4u.de.
> 
> Are you sure about the [random] part?  What type of answers did you
> receive?
> 
> This certainly looks ike a Kaminsky-style attack.  But namespace4u.de
> was used a couple of years ago, so I wonder if it is something else.
> 

Well,

Yes.  It was most certainly random.  It could be a Kaminsky-style attack
though.  Here is an example from a snoop on one of our customer-facing
caching nameservers:

$ /usr/sbin/snoop -i 0326091400.cap | grep namespace
  2   0.00055 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
ovqkaxdNZgEGl.namespace4you.de. Internet * ?
  3   0.00029 cns03.olvemo01.sys.nuvox.net -> 80.67.16.124 DNS C
FNVapy.namespace4you.de. Internet * ?
  4   0.00016 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
zTalhsnbmLqbdEq.namespace4you.de. Internet * ?
  5   0.00021 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
XywoZgwwtddXdxpu.namespace4you.de. Internet * ?
 12   0.00078 66.148.132.234.nw.nuvox.net ->
cns03.olvemo01.sys.nuvox.net DNS C btaVPOruXczEeghT.namespace4you.de.
Internet * ?
 16   0.00005 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
chruhnRlygjblvrJ.namespace4you.de. Internet * ?
 34   0.00026 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
gcjpykhIDd.namespace4you.de. Internet * ?
 72   0.00010 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
gMBxJyX.namespace4you.de. Internet * ?
 81   0.00296 66.148.195.86.nw.nuvox.net -> cns03.olvemo01.sys.nuvox.net
DNS C Pbio.namespace4you.de. Internet * ?
 82   0.00058 cns03.olvemo01.sys.nuvox.net -> 80.67.16.124 DNS C
Pbio.namespace4you.de. Internet * ?
 87   0.00027 66.148.195.86.nw.nuvox.net -> cns03.olvemo01.sys.nuvox.net
DNS C fgslzpkxFWhtxfkt.namespace4you.de. Internet * ?
 88   0.00055 cns03.olvemo01.sys.nuvox.net -> 80.67.16.124 DNS C
fgslzpkxFWhtxfkt.namespace4you.de. Internet * ?
 89   0.00105 66.148.195.86.nw.nuvox.net -> cns03.olvemo01.sys.nuvox.net
DNS C zhc.namespace4you.de. Internet * ?
 90   0.00051 cns03.olvemo01.sys.nuvox.net -> 80.67.16.124 DNS C
zhc.namespace4you.de. Internet * ?
 91   0.00211 66.148.195.86.nw.nuvox.net -> cns03.olvemo01.sys.nuvox.net
DNS C cCuixhoXhWi.namespace4you.de. Internet * ?
 92   0.00050 cns03.olvemo01.sys.nuvox.net -> 80.67.16.124 DNS C
cCuixhoXhWi.namespace4you.de. Internet * ?
 95   0.00117 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
IeHBYsrOGsvGw.namespace4you.de. Internet * ?
104   0.00259 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
xjcoAovVxhaxn.namespace4you.de. Internet * ?
105   0.00019 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
DqHkbmtuTEsVucWp.namespace4you.de. Internet * ?
106   0.00024 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
p.namespace4you.de. Internet * ?
107   0.00020 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
zZpPSOpOobuGvyy.namespace4you.de. Internet * ?

I'm still tracking things down but thus far, it looks like some OLD, OLD
IAD devices were being abused to get past our ACLs.

The customer-facing folks took the list of addresses I pulled out of the
snoops for on-net hosts that were doing the namespace4you queries and
every one of the devices turns out to be CPE.  The queries were coming
from the WAN IP of the CPE but, no NAT was enabled on the CPE.

Some research showed that queries directed at the WAN IP of the CPE
would be reflected by the CPE to our caching nameservers.

We have ACLs on our recursive nameservers but, the miscreants had found
a way to get past them by bouncing the requests off of the CPE. :(

Several thousand pieces of CPE are going through a mass config change as
I type. :)

John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with PCLinuxOS - http://enigmail.mozdev.org

iD8DBQFJzP9O+16lRpJszIgRAul9AJ9Qt1+ioP9HPsQoCNny67disDwFSgCeNR/x
ZIxsRgtgoscOMEh8d5AWgMo=
=4G+i
-----END PGP SIGNATURE-----