[nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...

Rodney Joffe rjoffe at centergate.com
Fri Nov 11 15:12:48 EST 2011 

Hi Don,

I would not expect that at all. Their target this time is the authoritative server, not the recursive ones. So I would expect you to be seeing spoofed "valid" queries udp/53 destined for 72.52.2.1, and if you are authoritative for the spoofed source, you might see some responses headed back to them from 72.52.2.1. The problem will be that you cannot tell the valid from the attack unless you examine the payload of the query itself and you see the???games.com. Of course, if they change that to be truly random domain names, you'll have no way of telling. 

Oh, and you will also have lots of valid queries UDP/53 headed towards 72.52.2.1 from actual recursive servers. They will be real. 

On Nov 11, 2011, at 3:01 PM, Smith, Donald wrote:

> Joel, did you see any icmp errors? I usually do in spoofed reflective dns attacks and I am not seeing any in this one so far.
> Rodney would you expect to see icmp errors in this type of attack? Since the resolvers are making "real" queries
> 
> that maybe the a way to recognize this type of attack from netflow?
> 
> 
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com
> ________________________________________
> From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
> Sent: Friday, November 11, 2011 12:43 PM
> To: Rodney Joffe; NSP-SEC List
> Subject: Re: [nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...
> 
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> I'm seeing a lot of traffic coming from that address to one of our DNS servers at our medical center(156.111.60.150).  The machine 128.59.176.4 is a dns server
> at our law school:
> 
> 2011/11/11 13:37:54 72.52.2.1.53 -> 156.111.60.150.60142 17 1 135
> 2011/11/11 13:37:55 72.52.2.1.53 -> 156.111.60.150.40237 17 1 80
> 2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.24350 17 1 104
> 2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.5783 17 1 104
> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.29470 17 1 238
> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64248 17 1 612
> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64928 17 1 124
> 2011/11/11 13:38:26 72.52.2.1.53 -> 156.111.60.150.31571 17 1 124
> 2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.57693 17 1 141
> 2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.62924 17 1 340
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.1996 17 1 133
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.31700 17 1 360
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.34524 17 1 151
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.4808 17 1 299
> 2011/11/11 13:38:33 72.52.2.1.53 -> 156.111.60.150.50592 17 1 648
> 2011/11/11 13:38:34 72.52.2.1.53 -> 156.111.70.150.7487 17 1 132
> 2011/11/11 13:38:58 72.52.2.1.53 -> 156.111.60.150.57473 17 1 146
> 2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.60.150.29184 17 1 133
> 2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.70.150.44407 17 1 133
> 2011/11/11 13:39:03 72.52.2.1.53 -> 156.111.60.150.26121 17 1 253
> 2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.2889 17 1 121
> 2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.52539 17 1 261
> 2011/11/11 13:39:05 72.52.2.1.53 -> 156.111.60.150.17358 17 1 137
> 2011/11/11 13:39:06 72.52.2.1.53 -> 156.111.60.150.22962 17 1 133
> 2011/11/11 13:39:07 72.52.2.1.53 -> 156.111.60.150.26432 17 1 364
> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.29476 17 1 243
> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.39218 17 1 147
> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.45585 17 1 129
> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.54251 17 1 243
> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.64252 17 1 642
> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.8245 17 1 129
> 2011/11/11 13:39:40 128.59.59.92.47017 -> 72.52.2.1.53 17 1 81
> 2011/11/11 13:39:40 72.52.2.1.53 -> 128.59.59.92.47017 17 1 312
> 2011/11/11 13:39:46 156.111.60.150.31983 -> 72.52.2.1.53 17 1 78
> 2011/11/11 13:39:46 72.52.2.1.53 -> 156.111.60.150.31983 17 1 249
> 2011/11/11 13:39:47 156.111.60.150.25478 -> 72.52.2.1.53 17 1 78
> 2011/11/11 13:39:47 72.52.2.1.53 -> 128.59.62.11.49354 17 1 125
> 2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.25478 17 1 246
> 2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.32755 17 1 132
> 2011/11/11 13:39:48 72.52.2.1.53 -> 156.111.60.150.41522 17 1 133
> 2011/11/11 13:39:52 72.52.2.1.53 -> 156.111.70.150.22179 17 1 334
> 2011/11/11 13:39:55 72.52.2.1.53 -> 156.111.70.150.21811 17 1 125
> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.11791 17 1 126
> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.29742 17 1 250
> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.31010 17 1 144
> 2011/11/11 13:39:57 72.52.2.1.53 -> 156.111.70.150.12482 17 1 252
> 2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.48805 17 1 115
> 2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.55493 17 1 240
> 2011/11/11 13:40:04 72.52.2.1.53 -> 156.111.60.150.63638 17 1 354
> 2011/11/11 13:40:07 72.52.2.1.53 -> 156.111.70.150.13514 17 1 388
> 2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.22648 17 1 652
> 2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.62223 17 1 388
> 2011/11/11 13:40:10 128.59.59.92.62717 -> 72.52.2.1.53 17 1 69
> 2011/11/11 13:40:10 72.52.2.1.53 -> 128.59.59.92.62717 17 1 330
> 2011/11/11 13:40:17 128.59.176.4.10765 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 128.59.176.4.24265 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 128.59.176.4.33252 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 128.59.176.4.56282 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.10765 17 1 244
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.24265 17 1 148
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.33252 17 1 262
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.56282 17 1 130
> 2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.34277 17 1 246
> 2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.43712 17 1 132
> 2011/11/11 13:40:24 128.59.176.100.10328 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:24 128.59.176.100.25559 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:24 156.111.60.150.13402 -> 72.52.2.1.53 17 1 76
> 2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.13402 17 1 130
> 2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.52542 17 1 128
> 2011/11/11 13:40:25 128.59.59.92.17966 -> 72.52.2.1.53 17 1 75
> 2011/11/11 13:40:25 156.111.70.150.16256 -> 72.52.2.1.53 17 1 68
> 2011/11/11 13:40:25 72.52.2.1.53 -> 128.59.59.92.17966 17 1 333
> 2011/11/11 13:40:25 72.52.2.1.53 -> 156.111.70.150.16256 17 1 275
> 2011/11/11 13:40:26 128.59.28.168.15583 -> 72.52.2.1.53 17 1 65
> 2011/11/11 13:40:26 128.59.28.168.63769 -> 72.52.2.1.53 6 5 265
> 2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.15583 17 1 65
> 2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.63769 6 3 402
> 2011/11/11 13:40:27 128.59.28.168.4270 -> 72.52.2.1.53 17 1 69
> 2011/11/11 13:40:27 72.52.2.1.53 -> 128.59.28.168.4270 17 1 300
> 2011/11/11 13:40:28 72.52.2.1.53 -> 156.111.60.150.33723 17 1 275
> 2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.20972 17 1 238
> 2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.43183 17 1 124
> 2011/11/11 13:40:31 72.52.2.1.53 -> 156.111.60.150.3208 17 1 126
> 2011/11/11 13:40:32 72.52.2.1.53 -> 156.111.60.150.36908 17 1 239
> 2011/11/11 13:40:33 72.52.2.1.53 -> 156.111.60.150.36686 17 1 126
> 
> There is more just like this if you need it
> 
> Thanks,
> Joel Rosenblatt
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> 
> 
> 
> --On Friday, November 11, 2011 2:21 PM -0500 Rodney Joffe <rjoffe at centergate.com> wrote:
> 
>> ----------- nsp-security Confidential --------
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> First, sorry for duplicate posting if you see this twice.
>> 
>> Second, it looks like EasyDNS is undergoing what I wrote that paper about in 2004 - a tough DDoS.
>> 
>> Not because of the volume, but because of the profile.
>> 
>> EasyDNS is seeing queries from valid current recursive servers for domains they are *not* authoritative for. However, we looked at our recursive servers and
>> we are not seeing any queries from us, but we are seeing responses from EasyDNS.
>> 
>> Easy is currently mitigating via Prolexic - this is the third in 24 hours. However, they're interested in getting help from us (you).
>> 
>> The queries are being made to 72.52.2.1, and are in the form LLLgames.com where LLL is a random 3 letters.
>> 
>> Could you please look at your flows for traffic headed towards that IP address?
>> 
>> The attack is under way now..
>> 
>> Thanks
>> Rodney
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> 
>> iEYEARECAAYFAk69ddcACgkQRrelm2onc7AoZgCeI9T7yL9NPp2gt4NWvoGuwpTP
>> w68AnA2Vdcz097b+sKlsh7MUh+C+gVgL
>> =9j8c
>> -----END PGP SIGNATURE-----
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>> 
> 
> 
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 
> This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>

More information about the nsp-security mailing list