Attack on the DNS ?
Anyone seen signs of this attack actually occurring ? http://www.nytimes.com/2012/03/31/technology/with-advance-warning-bracing-fo... <snip> The message called it Operation Global Blackout, and rallied Anonymous supporters worldwide to attack the Domain Name System, which converts human-friendly domain names like google.com into numeric addresses that are more useful for computers. It declared when the attack would be carried out: March 31. And it detailed exactly how: by bombarding the Domain Name System with junk traffic in an effort to overwhelm it altogether. <snip> Regards Marshall
Anyone seen signs of this attack actually occurring ?
http://www.nytimes.com/2012/03/31/technology/with-advance-warning-bracing-fo...
From my vantage point in Oslo, Norway, there is no sign of any attack occurring.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
We already have this type of attack in Bucharest/Romania since last Friday. The targets where IP's of some local webhosters, but at one moment we event saw IP's from Go Daddy. Tcpdump will show something like: 11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org. (37) 11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY? isc.org. (37) 11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY? isc.org. (37) After one week the attack has been mostly mitigated, and the remaining open resolvers are probably windows servers. Apparently in bill'g world is impossible to restrict the recursion.
We already have this type of attack in Bucharest/Romania since last Friday. The targets where IP's of some local webhosters, but at one moment we event saw IP's from Go Daddy. Tcpdump will show something like: 11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org. (37) 11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY? isc.org. (37) 11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY? isc.org. (37)
After one week the attack has been mostly mitigated, and the remaining open resolvers are probably windows servers. Apparently in bill'g world is impossible to restrict the recursion.
This is a spoofed source amplification/reflection attack, and is really going on all the time. It has nothing to do with any possible Anonymous attack on the root name servers. ANY queries for isc.org and ripe.net are popular (ietf.org has also been seen), since they give a potentially large amplification factor. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On Saturday, March 31, 2012 04:28:17 PM sthaug@nethelp.no wrote:
ANY queries for isc.org and ripe.net are popular (ietf.org has also been seen), since they give a potentially large amplification factor.
FWIW, saw ANY queries at a rate of 10 per second from one IP to a DNS server today, all for isc.org. Saw a few hundred more for tmss.trendmicro.com from a different IP. Other popular names include plus.google.com, maps.google.com, and play.google.com. (all denied by that particular server, which is patched against such). Anyone know if there's a project to track popular amplification names? :-)
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network. All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with "no such name". The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate. Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique? Is anyone else seeing this? Greg Ihnen
On Sat, Mar 31, 2012 at 10:09 PM, Greg Ihnen <os10rules@gmail.com> wrote:
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network.
Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique?
If you are using broadband connection from the brazilian incumbent operator (Oi), you might indeed being redirected to bogus servers. They are very fond of "monetizing" techniques with their user base, using either DNS or all the traffic for that matter (Phorm). Rubens
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network. All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with "no such name". The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate. Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique? Is anyone else seeing this? Greg Ihnen
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network. All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with "no such name". The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate. Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique? Is anyone else seeing this? Greg Ihnen
Looks like your network has a user or two participating in this retarded attempt to drop the Internet. Thanks, Ameen Pishdadi On Mar 31, 2012, at 8:30 PM, Greg Ihnen <os10rules@gmail.com> wrote:
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network.
All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with "no such name".
The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate.
Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique?
Is anyone else seeing this?
Greg Ihnen
On Sat, 31 Mar 2012 05:05:46 -0400, Marshall Eubanks said:
Anyone seen signs of this attack actually occurring ?
http://www.nytimes.com/2012/03/31/technology/with-advance-warning-bracing-fo...
<more snip> "Those preparations turned into a fast-track, multimillion-dollar global effort to beef up the Domain Name System. They offer a glimpse into the largely unknown forces that keep the Internet running in the face of unpredictable, potentially devastating threats." Was there *really* that much of a reaction to *this* threat, over and above the continual 24x7x365 ongoing effort to add resiliency and mitigation to the DNS?
participants (8)
-
Adrian Minta
-
Ameen Pishdadi
-
Greg Ihnen
-
Lamar Owen
-
Marshall Eubanks
-
Rubens Kuhl
-
sthaug@nethelp.no
-
Valdis.Kletnieks@vt.edu