[nsp-sec] namespace4u.de
John Fraizer
john at op-sec.us
Fri Mar 27 14:26:51 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Florian Weimer wrote:
> * John Fraizer:
>
>> Yes. It was most certainly random. It could be a Kaminsky-style attack
>> though. Here is an example from a snoop on one of our customer-facing
>> caching nameservers:
>>
>> $ /usr/sbin/snoop -i 0326091400.cap | grep namespace
>> 2 0.00055 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
>> ovqkaxdNZgEGl.namespace4you.de. Internet * ?
>
> namespace4you or namespace4u?
It is namespace4you.de - sorry about the typo.
>
> The former makes much more sense.
>
>> Some research showed that queries directed at the WAN IP of the CPE
>> would be reflected by the CPE to our caching nameservers.
>
> So it's just a reflective attack against namespace4you.de/Fourty Six
> Media. They appear to be filtering queries to everything under
> namespace4you.de (except ns and ns2).
>
> I suppose these attacks can be quite difficult to deal with. 8-(
>
It didn't make our DNS servers happy in the least. It was an additional
300K+ queries/sec. It suddenly became my job to prove that it wasn't a
network problem. 8-{ They didn't want to listen to me several years ago
when I pointed out flaws...er...design concerns in their planned
deployment but now, when it fell over, it's my problem. Sigh
John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with PCLinuxOS - http://enigmail.mozdev.org
iD8DBQFJzRpr+16lRpJszIgRAiYMAJ9goI4tkN2BrxzX8TeA/ZUUPYwOYwCeM9Bk
M4qYPJEDURemw/Bs4Z+t5WU=
=qiIK
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list