[nsp-sec] 30K (Openish) Resolvers

Dave Burke dave at amazon.com
Wed Apr 10 14:24:25 EDT 2013 

Thanks, ACK for Amazon (14618, 16509, 38895)

On Apr 9, 2013, at 7:20 PM, Krista Hickey wrote:

> ----------- nsp-security Confidential --------
> 
> [Apologies if this is duplicate for you, just trying to get the word out]
> 
> Hi All
> 
> Attached is just shy of 30k resolvers used to attack a customer playing XBOX. Attack was earlier today,
> 
> Start 2013-04-09 17:24 (-0400)
> End   2013-04-09 19:54 (-0400)
> 
> Typical DNS amplification attack with lots of requests including a newish one for me, deniedstresser.com if that rings any bells. A fatfinger had me doing some searches for deniedstressor.com at first which returns some results too (ie: pastebin.com/BpQ9u32e).
> 
> I will hold the full data for a couple of days if anyone absolutely needs exact timestamps but ask sooner rather than later and only if you really need it. This really wasn't that big of an attack so not a call to arms to help us but if anyone wants to backtrack a bit...that'd be cool. Might also be neat for someone to cross reference with Jared's resolver work, maybe an extra flag to indicate it actually has been used in an attack for added effect. 
> 
> Also of note is that, as discussed previously, the fact that recursion is turned off but you still answer doesn't really mean much to attacker or victim as response is response, ie: the attack participant below.
> 
> Thanks for help in securing things, share as necessary without attribution.
> 
> Krista
> 
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46809
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;example.com.                   IN      A
> 
> ;; AUTHORITY SECTION:
> .                       3600    IN      NS      j.root-servers.net.
> .                       3600    IN      NS      l.root-servers.net.
> .                       3600    IN      NS      b.root-servers.net.
> .                       3600    IN      NS      h.root-servers.net.
> .                       3600    IN      NS      e.root-servers.net.
> .                       3600    IN      NS      d.root-servers.net.
> .                       3600    IN      NS      c.root-servers.net.
> .                       3600    IN      NS      a.root-servers.net.
> .                       3600    IN      NS      i.root-servers.net.
> .                       3600    IN      NS      f.root-servers.net.
> .                       3600    IN      NS      g.root-servers.net.
> .                       3600    IN      NS      m.root-servers.net.
> .                       3600    IN      NS      k.root-servers.net.
> 
> ;; ADDITIONAL SECTION:
> j.root-servers.net.     3600    IN      A       192.58.128.30
> l.root-servers.net.     3600    IN      A       199.7.83.42
> b.root-servers.net.     3600    IN      A       192.228.79.201
> h.root-servers.net.     3600    IN      A       128.63.2.53
> 
> ;; Query time: 32 msec
> ;; SERVER: 173.193.248.101#53(173.193.248.101)
> ;; WHEN: Tue Apr  9 23:06:30 2013
> ;; MSG SIZE  rcvd: 508
> <649450.txt>
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________




Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration number 390566.

More information about the nsp-security mailing list