[nsp-sec] 118K Resolvers used in 10Gbps attack

[Joel L. Rosenblatt]

Hi Gabe,

Thanks for the pointers .. I am not a windows sysadmin and the
machines belong to some department at the school - I will pass them
along and let them figure it out :-)

Thanks,
Joel


Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


On Fri, Oct 11, 2013 at 11:00 AM, Gabriel Iovino <giovino at ren-isac.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/11/2013 10:17 AM, Joel L. Rosenblatt wrote:
>> Hi,
>>
>> We had 4 of those on Krista's list but not on the open resolver list
>> ... it appears that you can configure a windows box so that it is not
>> an open resolver, but if the request is in it's cache, it will answer
>> anyway.
>>
>> We are looking for the setting to fix this now ... if someone out
>> there knows that answer, I would appreciate a pointer
>
> [DO NOT do this without understanding the implications to your
> environment. I am not a Windows DNS administrator, I sometimes play one
> on mailing lists]
>
> Does deleting the cache.dns file fix this?
>
> References:
>
> Protecting Windows DNS Server from being abused for DNS amplification
> attacks
>
> http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac86dc7-779d-48eb-a113-9c06c2222af9/protecting-windows-dns-server-from-being-abused-for-dns-amplification-attacks
>
> Updating root hints
> http://technet.microsoft.com/en-us/library/cc758353%28v=ws.10%29.aspx
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iEYEARECAAYFAlJYEnQACgkQwqygxIz+pTslSQCfZ099+OzqrXF1H05V/suBPvg8
> pIAAn28kvv4IT9WoMF+1jAwMf8m1EeDK
> =8LLL
> -----END PGP SIGNATURE-----