[nsp-sec] OVH and Ecatel contacts for help with DNS IN ANY attacks wanted
Chris Morrow
morrowc at ops-netman.net
Sun Feb 3 22:16:53 EST 2013
ecatel hasn't been 'trusted' pretty much ever :(
On 02/03/2013 09:18 PM, James A. T. Rice wrote:
> ----------- nsp-security Confidential --------
>
> On Wed, 23 Jan 2013, John Kristoff wrote:
>
>> OVH and Ecatel seem have a lack of active engagement with the security
>> community, but I'd really like to see if I can find someone in either
>> organization who I might be able to get some assistance with in
>> investigating the DNS IN ANY attacks.
>
> I've spent several days in the last few months tracing back DNS ANY
> attacks, and in multiple instances it's led back to Ecatel AS29073, they
> have repeatedly told their upstreams they are implementing uRPF and
> failed to do so.
>
> When source spoof filtered upstream (which caused 1 million packets per
> second to hit the deny clause) they have required it be removed on the
> basis of "Most of our customers are BGP customers who don't announce
> their prefixes to us, or VPN customers who need to route other addresses
> outbound via us". This smells bogus.
>
yea... :(
> When told by their upstream to fix a particular attack from their
> network to an IP address within us (AS8943, Jump), they nullrouted
> Jump's /19 rather than fix the source of the traffic, and then declared
> the problem solved (we figured this out later). Frankly the nullroute is
> a good service from them.
>
> Conclusion: Not to be trusted.
>
> I'd probably lose a bunch of attack traffic and no legitimate traffic to
> our other prefixes if I were to join AMSIX with a 10Mbps port and a
> Raspberri PI purely to peer with them in order to nullroute all traffic
> from them.
ha! awesome plan.
More information about the nsp-security
mailing list