[nsp-sec] Info share: REN-ISAC alert DNS Amplification attacks

Eli Dart dart at es.net
Thu May 9 12:35:09 EDT 2013 

Hi all,

On 5/8/13 11:39 AM, Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> Minor nit, BCP38 is intended to block ingress traffic not egress traffic.
> " - Apply BCP38 filtering to prevent spoofed source address traffic from
>       leaving your network. "
>
> "Network Ingress Filtering:
> Defeating Denial of Service Attacks which employ
> IP Source Address Spoofing"
>
> So it should probably be from entering your network:)

Sorry to jump in late - it sounds like there might be a point of view 
issue here.

 From the perspective of a network provider, one wants to prevent 
spoofed traffic from entering the network.

The view is reversed from the perspective of a university campus (which 
I expect many REN-ISAC sites are).  A university or other end site 
should filter traffic leaving its network.

Do we need a term ("inverse BCP38 filtering?") to describe 
site-configured egress filtering to prevent the sending of spoofed 
traffic to a provider?

		--eli



>
> (coffee != sleep) & (!coffee == sleep)
>   Donald.Smith at centurylink.com
>
>
>
> From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Gabriel Iovino [giovino at ren-isac.net]
> Sent: Wednesday, May 08, 2013 12:13 PM
> To: NSP nsp-security
> Subject: [nsp-sec] Info share: REN-ISAC alert DNS Amplification attacks
>
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> The REN-ISAC released an alert to .edu today regarding DNS Amplification
> attacks.
>
> CIO version of the Alert
> http://www.ren-isac.net/alerts/dns_amp_ddos_cio_201305.html
>
> Technical version of the Alert
> http://www.ren-isac.net/alerts/dns_amp_ddos_tech_201305.html
>
> I share this with nsp-sec as most of us have constituents we are
> attempting persuade to mitigate open resolvers and implement bcp38.
> Maybe text from this alert will save you some time? Please feel free to
> borrow/steal from it as you see fit.
>
> A special thank you to everyone referenced in the alert, you are doing a
> lot of the heaving lifting.
>
> Here are a few other recent alerts I am aware of:
>
> US-CERT Alert (TA13-088A) DNS Amplification Attacks
> http://www.us-cert.gov/ncas/alerts/TA13-088A
>
> DNS amplification attacks and open DNS resolvers
> https://www.cert.be/pro/docs/dns-amplification-attacks-and-open-dns-resolvers
>
> [slight topic change -> remediation experience]
>
> When DNS amplification attacks are being shared in various remediation
> communities and we alert our constituents we see ~30-40% remediation in
> the first 24 hours. We also get feedback that:
>
> 1. Organizations have plans in place to mitigate open recursive resolvers
>
> 2. These notifications are helping them make the business case
> internally to do the right thing.
>
> Keep the attack data sets coming!
>
> thank you
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAlGKlbEACgkQwqygxIz+pTsh4gCgtD2R4Q++U8NR+P0JLaKS+Y4t
> 7YoAnRRiT2GI+4ZZ17tC08rkT1c48qGJ
> =0H49
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

-- 
Eli Dart                                            NOC: (510) 486-7600
ESnet Network Engineering Group (AS293)                  (800) 333-7638
Lawrence Berkeley National Laboratory
PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3

More information about the nsp-security mailing list