[nsp-sec] 30K (Openish) Resolvers

Krista Hickey Krista.Hickey at cogeco.com
Tue Apr 9 22:20:33 EDT 2013 

[Apologies if this is duplicate for you, just trying to get the word out]

Hi All

Attached is just shy of 30k resolvers used to attack a customer playing XBOX. Attack was earlier today,

Start 2013-04-09 17:24 (-0400)
End   2013-04-09 19:54 (-0400)

Typical DNS amplification attack with lots of requests including a newish one for me, deniedstresser.com if that rings any bells. A fatfinger had me doing some searches for deniedstressor.com at first which returns some results too (ie: pastebin.com/BpQ9u32e).

I will hold the full data for a couple of days if anyone absolutely needs exact timestamps but ask sooner rather than later and only if you really need it. This really wasn't that big of an attack so not a call to arms to help us but if anyone wants to backtrack a bit...that'd be cool. Might also be neat for someone to cross reference with Jared's resolver work, maybe an extra flag to indicate it actually has been used in an attack for added effect. 

Also of note is that, as discussed previously, the fact that recursion is turned off but you still answer doesn't really mean much to attacker or victim as response is response, ie: the attack participant below.

Thanks for help in securing things, share as necessary without attribution.

Krista

; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46809
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;example.com.                   IN      A

;; AUTHORITY SECTION:
.                       3600    IN      NS      j.root-servers.net.
.                       3600    IN      NS      l.root-servers.net.
.                       3600    IN      NS      b.root-servers.net.
.                       3600    IN      NS      h.root-servers.net.
.                       3600    IN      NS      e.root-servers.net.
.                       3600    IN      NS      d.root-servers.net.
.                       3600    IN      NS      c.root-servers.net.
.                       3600    IN      NS      a.root-servers.net.
.                       3600    IN      NS      i.root-servers.net.
.                       3600    IN      NS      f.root-servers.net.
.                       3600    IN      NS      g.root-servers.net.
.                       3600    IN      NS      m.root-servers.net.
.                       3600    IN      NS      k.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net.     3600    IN      A       192.58.128.30
l.root-servers.net.     3600    IN      A       199.7.83.42
b.root-servers.net.     3600    IN      A       192.228.79.201
h.root-servers.net.     3600    IN      A       128.63.2.53

;; Query time: 32 msec
;; SERVER: 173.193.248.101#53(173.193.248.101)
;; WHEN: Tue Apr  9 23:06:30 2013
;; MSG SIZE  rcvd: 508
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 649450.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20130410/ce7f4941/attachment-0001.txt>

More information about the nsp-security mailing list