Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this: - Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent. Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too. I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing. Thanks
In message <CALjCmpma-gXUerPUfeAWtgZn4qtVkxJTaEFL3D9Gc0OTvS96oQ@mail.gmail.com>, toor writes:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
- Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China
I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent.
Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too.
I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing.
Thanks
Most of the time you will be being used as a amplifier and the source traffic is spoofed. The short periods are so that it is harder to trace the compromised machines. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, Jan 18, 2012 at 12:04 AM, toor <lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a
china is a big country....
pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
- Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question)
yup
- From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range
marka noted that the source is really the thing being attacked, that seems to be the case in the incidents I've seen (and which I"ve seen other folks also make note of, over the last ~2-3 months)
- Every IP range has been from China
yup, probably over .cn peer links? if you have them...
I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent.
yea... you can't really limit queries, unless you can react in almost real-time to drop the queries on the floor before your servers see them :( or capacity-plan for the spikes, which is... rough.
Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too.
lots of folks are chattering privately about this, it's something in china attacking chinese users.The BW and PPS rates involved are likely quite high...
I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing.
it probably is... if you run decently large auth complexes with lots of domains, welcome to the party. -chris
Thanks
On 18 Jan 2012, at 05:06, "toor" <lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..). It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote:
The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
DNS servers (nor any other kind of server, for that matter) should never be placed behind stateful firewalls - the largest firewall one can build or buy will choke under even moderate DDoS attacks due to state-table exhaustion: <https://files.me.com/roland.dobbins/679xji> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
On 1/17/12 23:45 , Leigh Porter wrote:
On 18 Jan 2012, at 05:06, "toor" <lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
Given the the pps rate and the cps rate of DNS requests are rather similar one expects the value of inspecting unsolicited queries to your nameserver to be rather low.
It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
On 1/18/2012 1:45 AM, Leigh Porter wrote:
On 18 Jan 2012, at 05:06, "toor"<lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
We are seeing this too, though we don't have the kind of exposure some of the larger providers do. fwiw.. If for some reason, you can't use a dedicated box for DNS and/or a simple acl to protect services on a box, you can turn off connection tracking in iptables per-port using the NOTRACK target. iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTAR... Ken -- Ken Anderson
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
- Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China
I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent.
Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too.
I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing.
Thanks
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE-----
We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago. Hopefully the particular network has fixed that issue now, but it was a banner day to be sure. Thanks, -Drew -----Original Message----- From: virendra rode [mailto:virendra.rode@gmail.com] Sent: Wednesday, January 18, 2012 8:58 AM To: nanog@nanog.org Subject: Re: DNS Attacks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
- Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China
I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent.
Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too.
I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing.
Thanks
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE-----
http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html ________________________________ From: toor <lists@1337.mx> To: nanog@nanog.org Sent: Tuesday, January 17, 2012 9:04 PM Subject: DNS Attacks Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this: - Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent. Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too. I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing. Thanks
participants (10)
-
Christopher Morrow
-
Dobbins, Roland
-
Drew Weaver
-
Henry Linneweh
-
Joel jaeggli
-
Ken A
-
Leigh Porter
-
Mark Andrews
-
toor
-
virendra rode