[nsp-sec] ACK 26496 - Re: 30K (Openish) Resolvers

Greg Schwimer gschwimer at godaddy.com
Tue Apr 9 22:50:35 EDT 2013 


----- Original Message -----
From: "Krista Hickey" <Krista.Hickey at cogeco.com>
To: nsp-security at puck.nether.net
Sent: Tuesday, April 9, 2013 7:20:33 PM
Subject: [nsp-sec] 30K (Openish) Resolvers

----------- nsp-security Confidential --------


[Apologies if this is duplicate for you, just trying to get the word out]

Hi All

Attached is just shy of 30k resolvers used to attack a customer playing XBOX. Attack was earlier today,

Start 2013-04-09 17:24 (-0400)
End   2013-04-09 19:54 (-0400)

Typical DNS amplification attack with lots of requests including a newish one for me, deniedstresser.com if that rings any bells. A fatfinger had me doing some searches for deniedstressor.com at first which returns some results too (ie: pastebin.com/BpQ9u32e).

I will hold the full data for a couple of days if anyone absolutely needs exact timestamps but ask sooner rather than later and only if you really need it. This really wasn't that big of an attack so not a call to arms to help us but if anyone wants to backtrack a bit...that'd be cool. Might also be neat for someone to cross reference with Jared's resolver work, maybe an extra flag to indicate it actually has been used in an attack for added effect. 

Also of note is that, as discussed previously, the fact that recursion is turned off but you still answer doesn't really mean much to attacker or victim as response is response, ie: the attack participant below.

Thanks for help in securing things, share as necessary without attribution.

Krista

; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46809
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;example.com.                   IN      A

;; AUTHORITY SECTION:
.                       3600    IN      NS      j.root-servers.net.
.                       3600    IN      NS      l.root-servers.net.
.                       3600    IN      NS      b.root-servers.net.
.                       3600    IN      NS      h.root-servers.net.
.                       3600    IN      NS      e.root-servers.net.
.                       3600    IN      NS      d.root-servers.net.
.                       3600    IN      NS      c.root-servers.net.
.                       3600    IN      NS      a.root-servers.net.
.                       3600    IN      NS      i.root-servers.net.
.                       3600    IN      NS      f.root-servers.net.
.                       3600    IN      NS      g.root-servers.net.
.                       3600    IN      NS      m.root-servers.net.
.                       3600    IN      NS      k.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net.     3600    IN      A       192.58.128.30
l.root-servers.net.     3600    IN      A       199.7.83.42
b.root-servers.net.     3600    IN      A       192.228.79.201
h.root-servers.net.     3600    IN      A       128.63.2.53

;; Query time: 32 msec
;; SERVER: 173.193.248.101#53(173.193.248.101)
;; WHEN: Tue Apr  9 23:06:30 2013
;; MSG SIZE  rcvd: 508



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list