Recent DNS attacks from China?
Hi All, I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. Anyone else? Regards, Leland
On Wed, 30 Nov 2011, Leland Vandervort wrote:
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
That might explain akamai.net hostnames not resolving intermittently since Tue Nov 29 20:20:02 2011 UTC... I don't run any authoritative or exposed caches at the moment, and the aka NXDOMAINs are the only thing we've been seeing dropouts on for the past ~48 hours, but we did see NXDOMAINs from a bunch of amazonaws hostnames over the holidays... -- david raistrick http://www.netmeister.org/news/learn2quote.html drais@icantclick.org http://www.expita.com/nomime.html
Once upon a time, Leland Vandervort <leland@taranta.discpro.org> said:
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
I'm seeing something similar. The requests are to our authoritative servers, and appear to be mostly for a small number of domains at a time (they are all domains we are authoritative for). They are all ANY queries, often repeated for the same domain rapidly. The requests come from one IP at a time, but move to another IP in a minute or two. This does NOT appear to be related to the recent BIND vulnerability. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone. Is country even relevant in the cyberscape? Andrew ________________________________ From: Leland Vandervort <leland@taranta.discpro.org> To: nanog@nanog.org Cc: Leland Vandervort <leland@taranta.discpro.org> Sent: Wednesday, November 30, 2011 4:32 PM Subject: Recent DNS attacks from China? Hi All, I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. Anyone else? Regards, Leland
On Wed, 30 Nov 2011 10:24:21 PST, "andrew.wallace" said:
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone. Is country even relevant in the cyberscape?
Reading comprehension, Andrew. Leland never said the Chinese were behind it, he never even said the packets came from China. He said the packet origins were from Chinese IP addresses. And yes, country *is* relevant in the cyberscape. For starters, it defines how much cooperation you'll get in tracking, arresting, and prosecuting the offenders. The US has had a lot more success in apprehending Gary McKinnon than the perpetrators of Titan Rain. It's almost certainly due to the fact that McKinnon was in Glasgow and the Titan Rain people weren't.
An attack originating from somewhere indicates the presence of either an attacker or a compromised host. A particular density of either in a particular geographical area would seem like an interesting data point. --Richard On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace <andrew.wallace@rocketmail.com> wrote:
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone.
Is country even relevant in the cyberscape?
Andrew
________________________________ From: Leland Vandervort <leland@taranta.discpro.org> To: nanog@nanog.org Cc: Leland Vandervort <leland@taranta.discpro.org> Sent: Wednesday, November 30, 2011 4:32 PM Subject: Recent DNS attacks from China?
Hi All,
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
Anyone else?
Regards,
Leland
Except in this case it's a DNS attack, which implies UDP based and easily spoofed. The source IP may or may not actually be accurate. Ken ________________________________ From: Richard Barnes [mailto:richard.barnes@gmail.com] Sent: Wed 11/30/2011 11:51 AM To: andrew.wallace Cc: nanog@nanog.org; Leland Vandervort Subject: Re: Recent DNS attacks from China? An attack originating from somewhere indicates the presence of either an attacker or a compromised host. A particular density of either in a particular geographical area would seem like an interesting data point. --Richard On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace <andrew.wallace@rocketmail.com> wrote:
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone.
Is country even relevant in the cyberscape?
Andrew
*** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice ***
Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays Rob ============================ -----Oorspronkelijk bericht----- Van: Matlock, Kenneth L [mailto:MatlockK@exempla.org] Verzonden: woensdag 30 november 2011 19:57 Aan: Richard Barnes; andrew.wallace CC: nanog@nanog.org; Leland Vandervort Onderwerp: RE: Recent DNS attacks from China? Except in this case it's a DNS attack, which implies UDP based and easily spoofed. The source IP may or may not actually be accurate. Ken ________________________________ From: Richard Barnes [mailto:richard.barnes@gmail.com] Sent: Wed 11/30/2011 11:51 AM To: andrew.wallace Cc: nanog@nanog.org; Leland Vandervort Subject: Re: Recent DNS attacks from China? An attack originating from somewhere indicates the presence of either an attacker or a compromised host. A particular density of either in a particular geographical area would seem like an interesting data point. --Richard On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace <andrew.wallace@rocketmail.com> wrote:
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone.
Is country even relevant in the cyberscape?
Andrew
*** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice ***
-----Original Message----- From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: MatlockK@exempla.org; richard.barnes@gmail.com; andrew.wallace@rocketmail.com Cc: nanog@nanog.org; leland@taranta.discpro.org Subject: RE: Recent DNS attacks from China? Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays ================= Rob, Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of the extra lookup. -Drew
On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:
-----Original Message----- From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: MatlockK@exempla.org; richard.barnes@gmail.com; andrew.wallace@rocketmail.com Cc: nanog@nanog.org; leland@taranta.discpro.org Subject: RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains.
I still wonder how it is still possible that ip addresses can be spoofed nowadays
We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less. We're seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which unfortunately gives a 492 byte response.
=================
Rob,
Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of the extra lookup.
-Drew
Yup.. they're all "ANY" requests. The varying TTLs indicates that they're most likely spoofed. We are also now seeing similar traffic from RFC1918 "source" addresses trying to ingress our network (but being stopped by our border filters). Looks like the kiddies are playing.... On 2 Dec 2011, at 16:02, Ryan Rawdon wrote:
On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:
-----Original Message----- From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: MatlockK@exempla.org; richard.barnes@gmail.com; andrew.wallace@rocketmail.com Cc: nanog@nanog.org; leland@taranta.discpro.org Subject: RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains.
I still wonder how it is still possible that ip addresses can be spoofed nowadays
We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less. We're seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which unfortunately gives a 492 byte response.
=================
Rob,
Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of the extra lookup.
-Drew
Other than being non-compliant, is an "ANY" query used by any major software? Could someone rate limit ANY responses to mitigate this particular issue? On Fri, Dec 2, 2011 at 8:17 AM, Leland Vandervort < leland@taranta.discpro.org> wrote:
Yup.. they're all "ANY" requests. The varying TTLs indicates that they're most likely spoofed. We are also now seeing similar traffic from RFC1918 "source" addresses trying to ingress our network (but being stopped by our border filters).
Looks like the kiddies are playing....
On 2 Dec 2011, at 16:02, Ryan Rawdon wrote:
On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:
-----Original Message----- From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: MatlockK@exempla.org; richard.barnes@gmail.com;
Cc: nanog@nanog.org; leland@taranta.discpro.org Subject: RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all
andrew.wallace@rocketmail.com the domains.
I still wonder how it is still possible that ip addresses can be
spoofed nowadays
We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less. We're seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which unfortunately gives a 492 byte response.
=================
Rob,
Transit providers can bill for the denial of service traffic and they
claim it's too expensive to run URPF because of the extra lookup.
-Drew
Once upon a time, Joel Maslak <jmaslak@antelope.net> said:
Other than being non-compliant, is an "ANY" query used by any major software? Could someone rate limit ANY responses to mitigate this particular issue?
I believe qmail still uses ANY lookups. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Since it is spoofed traffic we block the "source", so not participating in flooding the real ip address. The real issue is verify unicast reverse path not being implemented. So that the ip addresses cannot be spoofed! (unless we are dealing with some major unknown vurlnerabilities in our infrastructure) After a few days we will unblock again. Regards, Rob Vercouteren
participants (11)
-
andrew.wallace
-
Chris Adams
-
david raistrick
-
Drew Weaver
-
Joel Maslak
-
Leland Vandervort
-
Matlock, Kenneth L
-
Richard Barnes
-
Rob.Vercouteren@kpn.com
-
Ryan Rawdon
-
Valdis.Kletnieks@vt.edu