At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote: I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com, netsol.com or AS6245. -Hank
worldnic.com. 86400 IN NS ns1.netsol.com. worldnic.com. 86400 IN NS ns2.netsol.com. worldnic.com. 86400 IN NS ns3.netsol.com.
;; ADDITIONAL SECTION: ns1.netsol.com. 86400 IN A 216.168.229.228 ns2.netsol.com. 86400 IN A 216.168.229.229 ns3.netsol.com. 86400 IN A 216.168.229.229
why have 3 records and 2 ips? odd. You'd think they would have more ips in that /21 or other /24's to allocate from, just in case they had to jettison 1 address which was getting pounded :( (not that these were getting attacked per-say, but still)
[0] - as it seems that the ddos sources were ip address spoofed (which is why the service still worked for tcp), i owe paul an apology for downplaying the immediacy of the need for source address filtering.
It's also not clear that the sources were spoofed, if as Patrick says they put in a riverhead(s) (which isn't too far fetched) the normal mode for 'protection' of DNS is to: 1) truncate 2) rate-limit - and cache (I think it caches atleast, I know it will go into proxy mode and rate-limit)
truncate forces TCP which allows RHG to verify the source address is really asking to chat, rate-limit function keeps 'bad actors' from beatting the hell out of the protected resource.
So, without more info from NetSol (seems not to be forthcoming?) about the mix of attack traffic (which the RHG will provide) it's hard to state definitively that the attack was 'mostly spoofed' :(
At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote:
I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com, netsol.com or AS6245.
-Hank
worldnic.com. 86400 IN NS ns1.netsol.com. worldnic.com. 86400 IN NS ns2.netsol.com. worldnic.com. 86400 IN NS ns3.netsol.com.
;; ADDITIONAL SECTION: ns1.netsol.com. 86400 IN A 216.168.229.228 ns2.netsol.com. 86400 IN A 216.168.229.229 ns3.netsol.com. 86400 IN A 216.168.229.229
I believe the issues (reported on NANOG specifically) related to ns*.worldnic.com (seemingly ns1 through ns100.worldnic.com) which seem to be mostly related to 216.168.225.0/24 with some smatterings in 216.168.228.0/24. Some examination during the event, and since then, would indicate that traceroutes to these /24s result in endpoints that are in the same location, apparently in the DC area. Anycast would not seem to be involved. It further seems that these nameservers are used primarily by customers of their bundled with a domain name dns offering, with minimal cost. There are in excess of 300,000 domains that point to ns*.worldnic.net as being authoritative, that I have been able to identify so far. It seems that a large number of domain name registrants might have been affected, although many were unaware. And I assume that it is obvious that this is all "Network Solutions", the Registrar Business, as distinct from the now completely unrelated company, Verisign, the Registry Operator. Rodney Joffe CenterGate Research Group, LLC http://www.centergate.com "Technology so advanced, even WE don't understand it"(R)
On Sun, 8 May 2005, Rodney Joffe wrote: I will check whether our telescope is missing tcp/53 pkts. -Hank
At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote:
I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com, netsol.com or AS6245.
-Hank
worldnic.com. 86400 IN NS ns1.netsol.com. worldnic.com. 86400 IN NS ns2.netsol.com. worldnic.com. 86400 IN NS ns3.netsol.com.
;; ADDITIONAL SECTION: ns1.netsol.com. 86400 IN A 216.168.229.228 ns2.netsol.com. 86400 IN A 216.168.229.229 ns3.netsol.com. 86400 IN A 216.168.229.229
I believe the issues (reported on NANOG specifically) related to ns*.worldnic.com (seemingly ns1 through ns100.worldnic.com) which seem to be mostly related to 216.168.225.0/24 with some smatterings in 216.168.228.0/24. Some examination during the event, and since then, would indicate that traceroutes to these /24s result in endpoints that are in the same location, apparently in the DC area. Anycast would not seem to be involved.
It further seems that these nameservers are used primarily by customers of their bundled with a domain name dns offering, with minimal cost. There are in excess of 300,000 domains that point to ns*.worldnic.net as being authoritative, that I have been able to identify so far. It seems that a large number of domain name registrants might have been affected, although many were unaware.
And I assume that it is obvious that this is all "Network Solutions", the Registrar Business, as distinct from the now completely unrelated company, Verisign, the Registry Operator.
Rodney Joffe CenterGate Research Group, LLC http://www.centergate.com "Technology so advanced, even WE don't understand it"(R)
participants (2)
-
Hank Nussbacher
-
Rodney Joffe