[nsp-sec] UDP love against AS5539

[sthaug at nethelp.no]

I wrote:

> Yup, spoofed source amplification attacks are all the rage now. I'm
> seeing DNS based ones, typically querying for ANY isc.org or ripe.net
> and getting a large reply, several times per day.

I've started seeing a slightly different type of attack. I used to see
ANY queries for isc.org or ripe.net directed at open recursive resolvers
and proxies, presumably because these domains use DNSSEC and therefore
give a nice big amplification factor.

Right now I'm looking at two authoritative name servers, dns1.eunet.no
(authoritative for lots of domains that we host for customers), and
y.nic.no (authoritative for .no). At the first one, the following four
Chinese IP addresses make up a total of 23% of the queries:

119.63.36.16, 119.63.36.30, 119.63.36.35, 119.147.154.56

and at the second one, just over 11%. In both cases, this is measured
over several hours, and it is far more queries for .no domains than I
would expect from China. So I assume the sources are spoofed.

Looking more closely at the queries, I see ANY queries for the domains
which are *delegated* from the respective two name servers. There's no
DNSSEC involved, but I'm still seeing an amplification factor of around
8 to 10. This is evidently "enough" for a spoofed source amplification
attack to be interesting to the miscreants - though I would have
expected them to go for "biggest bang for the buck" and use ANY queries
against domains known to implement DNSSEC (isc.org, ripe.net etc).

The obvious difference is that sending ANY queries to the delegating name
servers only requires info which is already in the DNS, while getting ANY
replies to isc.org or ripe.net needs a list of open recursive resolvers.

No conclusions here, just some possibly interesting observations.

Steinar Haug, AS 2116