[nsp-sec] OVH and Ecatel contacts for help with DNS IN ANY attacks wanted
James A. T. Rice
james_r-nsp at jump.org.uk
Sun Feb 3 21:18:48 EST 2013
On Wed, 23 Jan 2013, John Kristoff wrote:
> OVH and Ecatel seem have a lack of active engagement with the security
> community, but I'd really like to see if I can find someone in either
> organization who I might be able to get some assistance with in
> investigating the DNS IN ANY attacks.
I've spent several days in the last few months tracing back DNS ANY
attacks, and in multiple instances it's led back to Ecatel AS29073, they
have repeatedly told their upstreams they are implementing uRPF and failed
to do so.
When source spoof filtered upstream (which caused 1 million packets per
second to hit the deny clause) they have required it be removed on the
basis of "Most of our customers are BGP customers who don't announce their
prefixes to us, or VPN customers who need to route other addresses
outbound via us". This smells bogus.
When told by their upstream to fix a particular attack from their network
to an IP address within us (AS8943, Jump), they nullrouted Jump's /19
rather than fix the source of the traffic, and then declared the problem
solved (we figured this out later). Frankly the nullroute is a good
service from them.
Conclusion: Not to be trusted.
I'd probably lose a bunch of attack traffic and no legitimate traffic to
our other prefixes if I were to join AMSIX with a 10Mbps port and a
Raspberri PI purely to peer with them in order to nullroute all traffic
from them.
Cheers
James
More information about the nsp-security
mailing list