Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

DNS Attacks

  

 
NANOG users RSS feed   Index | Next | Previous | View Threaded


lists at 1337

Jan 17, 2012, 9:04 PM

Post #1 of 35 (489 views)
Permalink
DNS Attacks
Hi list,

I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up blank. I am completly
guessing these are possibly DNS amplification attacks but I am not
sure. Usually what I see is this:

- Attacks most commonly between the hours of 4AM-4PM UTC
- DNS queries appear to be for real domains that the DNS servers in
question are authoritive for (I can't really see any pattern there,
there are about 150,000 zones on the servers in question)
- From a range of IP's there will be an attack for approximately 5-10
minutes before stopping and then a break of 30 minutes or so before
another attack from a different IP range
- Every IP range has been from China

I have limited the number of queries that can be done to mitigate this
but its messing up my pretty netflow graphs due to the spikes in
flows/packets being sent.

Does anyone have any ideas what the reasoning behind this could be? I
would also be interested to hear from anyone else experiencing this
too.

I can provide IP ranges from where I am seeing the issue but it does
vary a lot between the attacks with the only pattern every time being
the source address is located in China. I read a thread earlier,
http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
thing I am seeing.

Thanks


marka at isc

Jan 17, 2012, 9:15 PM

Post #2 of 35 (476 views)
Permalink
Re: DNS Attacks [In reply to]
In message <CALjCmpma-gXUerPUfeAWtgZn4qtVkxJTaEFL3D9Gc0OTvS96oQ [at] mail>,
toor writes:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks

Most of the time you will be being used as a amplifier and the
source traffic is spoofed. The short periods are so that it is
harder to trace the compromised machines.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc


morrowc.lists at gmail

Jan 17, 2012, 9:34 PM

Post #3 of 35 (476 views)
Permalink
Re: DNS Attacks [In reply to]
On Wed, Jan 18, 2012 at 12:04 AM, toor <lists [at] 1337> wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a

china is a big country....

> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)

yup

> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range

marka noted that the source is really the thing being attacked, that
seems to be the case in the incidents I've seen (and which I"ve seen
other folks also make note of, over the last ~2-3 months)

> - Every IP range has been from China
>

yup, probably over .cn peer links? if you have them...

> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.

yea... you can't really limit queries, unless you can react in almost
real-time to drop the queries on the floor before your servers see
them :( or capacity-plan for the spikes, which is... rough.

>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>

lots of folks are chattering privately about this, it's something in
china attacking chinese users.The BW and PPS rates involved are likely
quite high...

> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>

it probably is... if you run decently large auth complexes with lots
of domains, welcome to the party.

-chris

> Thanks
>


leigh.porter at ukbroadband

Jan 17, 2012, 11:45 PM

Post #4 of 35 (476 views)
Permalink
Re: DNS Attacks [In reply to]
On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:

> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>

At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).

It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.

--
Leigh Porter


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


rdobbins at arbor

Jan 18, 2012, 12:05 AM

Post #5 of 35 (472 views)
Permalink
Re: DNS Attacks [In reply to]
On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote:

> The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).


DNS servers (nor any other kind of server, for that matter) should never be placed behind stateful firewalls - the largest firewall one can build or buy will choke under even moderate DDoS attacks due to state-table exhaustion:

<https://files.me.com/roland.dobbins/679xji>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins [at] arbor> // <http://www.arbornetworks.com>

The basis of optimism is sheer terror.

-- Oscar Wilde


joelja at bogus

Jan 18, 2012, 12:35 AM

Post #6 of 35 (470 views)
Permalink
Re: DNS Attacks [In reply to]
On 1/17/12 23:45 , Leigh Porter wrote:
>
>
> On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>>
>
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).

Given the the pps rate and the cps rate of DNS requests are rather
similar one expects the value of inspecting unsolicited queries to your
nameserver to be rather low.

> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
>


dennis at justipit

Jan 18, 2012, 4:53 AM

Post #7 of 35 (465 views)
Permalink
Re: DNS Attacks [In reply to]
I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list.


Leigh Porter <leigh.porter [at] ukbroadband> wrote:

>
>
>On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS queries
>> coming from various IP ranges in China. I have been trying to find a
>> pattern in the attacks but so far I have come up blank. I am completly
>> guessing these are possibly DNS amplification attacks but I am not
>> sure. Usually what I see is this:
>>
>
>At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
>
>It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
>
>--
>Leigh Porter
>
>
>______________________________________________________________________
>This email has been scanned by the Symantec Email Security.cloud service.
>For more information please visit http://www.symanteccloud.com
>______________________________________________________________________
>
>


virendra.rode at gmail

Jan 18, 2012, 5:57 AM

Post #8 of 35 (465 views)
Permalink
Re: DNS Attacks [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi -

We've been victims of these attacks many a times and more recently
towards our customer dns servers which was rated at ~ 4gbps for a
duration of 30mins.

Tracking the source of an attack is simplified when the source is more
likely to be "valid".

The nature of these attacks for us was a combination of amplification
and spoofed, however implementing anti-spoofing (uRFP) specially bcp38
is a good idea not saying its a fix but certainly the attack methodology
will significantly lessen.

As Matt Katz put it rightly so, "Distributed denial of service can only
be solved with distributed delivery of service".


regards,
/virendra

On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-----END PGP SIGNATURE-----


drew.weaver at thenap

Jan 18, 2012, 6:01 AM

Post #9 of 35 (462 views)
Permalink
RE: DNS Attacks [In reply to]
We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago.

Hopefully the particular network has fixed that issue now, but it was a banner day to be sure.

Thanks,
-Drew


-----Original Message-----
From: virendra rode [mailto:virendra.rode [at] gmail]
Sent: Wednesday, January 18, 2012 8:58 AM
To: nanog [at] nanog
Subject: Re: DNS Attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi -

We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins.

Tracking the source of an attack is simplified when the source is more likely to be "valid".

The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen.

As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service".


regards,
/virendra

On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-----END PGP SIGNATURE-----


leigh.porter at ukbroadband

Jan 18, 2012, 6:18 AM

Post #10 of 35 (459 views)
Permalink
RE: DNS Attacks [In reply to]
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)

--
Leigh Porter


> -----Original Message-----
> From: Dennis [mailto:dennis [at] justipit]
> Sent: 18 January 2012 12:55
> To: Leigh Porter; toor
> Cc: nanog [at] nanog
> Subject: Re: DNS Attacks
>
> I agree with Roland on the firewall placement. I add that the attack
> would have likely succeeded to exhaust the servers. There is alot of
> recent ddos activity on DNS with what looks like legitimate queries.
> You should also look at some DOS/ application level protections;
> Radware and Arbor top the list.
>
>
> Leigh Porter <leigh.porter [at] ukbroadband> wrote:
>
> >
> >
> >On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:
> >
> >> Hi list,
> >>
> >> I am wondering if anyone else has seen a large amount of DNS queries
> >> coming from various IP ranges in China. I have been trying to find a
> >> pattern in the attacks but so far I have come up blank. I am
> completly
> >> guessing these are possibly DNS amplification attacks but I am not
> >> sure. Usually what I see is this:
> >>
> >
> >At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
> >
> >It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS, a
> web server and an open SSH port.
> >
> >--
> >Leigh Porter
> >
> >
> >______________________________________________________________________
> >This email has been scanned by the Symantec Email Security.cloud
> service.
> >For more information please visit http://www.symanteccloud.com
> >______________________________________________________________________
> >
> >
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


nick at foobar

Jan 18, 2012, 7:05 AM

Post #11 of 35 (459 views)
Permalink
Re: DNS Attacks [In reply to]
On 18/01/2012 14:18, Leigh Porter wrote:
> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
> as it is not *my* firewalls I really don't care what they do ;-)

As you're posting here, it looks like it's become your problem. :-D

Seriously, though, there is no value to maintaining state for DNS queries.
You would be much better off to put your firewall production interfaces on
a routed port on a hardware router so that you can implement ASIC packet
filtering. This will operate at wire speed without dumping you into the
colloquial poo every time someone decides to take out your critical
infrastructure.

Nick


morrowc.lists at gmail

Jan 18, 2012, 7:41 AM

Post #12 of 35 (465 views)
Permalink
Re: DNS Attacks [In reply to]
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar> wrote:
> On 18/01/2012 14:18, Leigh Porter wrote:
>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>> as it is not *my* firewalls I really don't care what they do ;-)
>
> As you're posting here, it looks like it's become your problem. :-D
>
> Seriously, though, there is no value to maintaining state for DNS queries.
>  You would be much better off to put your firewall production interfaces on
> a routed port on a hardware router so that you can implement ASIC packet
> filtering.  This will operate at wire speed without dumping you into the
> colloquial poo every time someone decides to take out your critical
> infrastructure.

I get the feeling that leigh had implemented this against his own
advice for a client... that he's onboard with 'putting a firewall in
front of a dns server is dumb' meme...


smb at cs

Jan 18, 2012, 8:34 AM

Post #13 of 35 (457 views)
Permalink
Re: DNS Attacks [In reply to]
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:

> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar> wrote:
>> On 18/01/2012 14:18, Leigh Porter wrote:
>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>>> as it is not *my* firewalls I really don't care what they do ;-)
>>
>> As you're posting here, it looks like it's become your problem. :-D
>>
>> Seriously, though, there is no value to maintaining state for DNS queries.
>> You would be much better off to put your firewall production interfaces on
>> a routed port on a hardware router so that you can implement ASIC packet
>> filtering. This will operate at wire speed without dumping you into the
>> colloquial poo every time someone decides to take out your critical
>> infrastructure.
>
> I get the feeling that leigh had implemented this against his own
> advice for a client... that he's onboard with 'putting a firewall in
> front of a dns server is dumb' meme...

In principle, this is certainly correct (and I've often said the same thing
about web servers); in practice, though, a lot depends on the specs. For
example: can the firewall discard useless requests more quickly? Does it do
a better job of discarding malformed packets? Is the vendor better about
supplying patches to new vulnerabilities? Can it do a better job filtering
on source IP address? Does it do load-balancing? Are there other services
on the same server IP address that do require stateful filtering?

As I said, most of the time a dedicated DNS appliance doesn't benefit from
firewall protection. Occasionally, though, it might.


--Steve Bellovin, https://www.cs.columbia.edu/~smb


morrowc.lists at gmail

Jan 18, 2012, 8:42 AM

Post #14 of 35 (454 views)
Permalink
Re: DNS Attacks [In reply to]
On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin <smb [at] cs> wrote:
>
> On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
>
>> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar> wrote:
>>> On 18/01/2012 14:18, Leigh Porter wrote:
>>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>>>> as it is not *my* firewalls I really don't care what they do ;-)
>>>
>>> As you're posting here, it looks like it's become your problem. :-D
>>>
>>> Seriously, though, there is no value to maintaining state for DNS queries.
>>>  You would be much better off to put your firewall production interfaces on
>>> a routed port on a hardware router so that you can implement ASIC packet
>>> filtering.  This will operate at wire speed without dumping you into the
>>> colloquial poo every time someone decides to take out your critical
>>> infrastructure.
>>
>> I get the feeling that leigh had implemented this against his own
>> advice for a client... that he's onboard with 'putting a firewall in
>> front of a dns server is dumb' meme...
>
> In principle, this is certainly correct (and I've often said the same thing
> about web servers); in practice, though, a lot depends on the specs.  For
> example: can the firewall discard useless requests more quickly?  Does it do
> a better job of discarding malformed packets?  Is the vendor better about
> supplying patches to new vulnerabilities?  Can it do a better job filtering
> on source IP address?  Does it do load-balancing?  Are there other services
> on the same server IP address that do require stateful filtering?


yup... I think roland and nick (he can correct me, roland I KNOW is
saying this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more
complex and your firewall fails long before the 7206's
interface/filter will :( Some folks would say you'd be better off
doing some LB/filtering-in-software behind said router interface
filter, I can't argue with that.

> As I said, most of the time a dedicated DNS appliance doesn't benefit from
> firewall protection.  Occasionally, though, it might.

I suspect the cases where it MAY benefit are the 'lower packet rate,
ping-o-death-type' attacks only though. Essentially 'use a proxy to
remove unknown cruft' as a frontend to your more complex dns/web
answering system, eh?

under load though, high pps rate attacks/instances (victoria secret
fashion-show sorts of things) your firewall/proxy is likely to die
before the backend does ;(

-chris

>
>                --Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>


cb.list6 at gmail

Jan 18, 2012, 9:15 AM

Post #15 of 35 (458 views)
Permalink
Re: DNS Attacks [In reply to]
On Jan 18, 2012 8:43 AM, "Christopher Morrow" <morrowc.lists [at] gmail>
wrote:
>
> On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin <smb [at] cs>
wrote:
> >
> > On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
> >
> >> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar>
wrote:
> >>> On 18/01/2012 14:18, Leigh Porter wrote:
> >>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As
long
> >>>> as it is not *my* firewalls I really don't care what they do ;-)
> >>>
> >>> As you're posting here, it looks like it's become your problem. :-D
> >>>
> >>> Seriously, though, there is no value to maintaining state for DNS
queries.
> >>> You would be much better off to put your firewall production
interfaces on
> >>> a routed port on a hardware router so that you can implement ASIC
packet
> >>> filtering. This will operate at wire speed without dumping you into
the
> >>> colloquial poo every time someone decides to take out your critical
> >>> infrastructure.
> >>
> >> I get the feeling that leigh had implemented this against his own
> >> advice for a client... that he's onboard with 'putting a firewall in
> >> front of a dns server is dumb' meme...
> >
> > In principle, this is certainly correct (and I've often said the same
thing
> > about web servers); in practice, though, a lot depends on the specs.
For
> > example: can the firewall discard useless requests more quickly? Does
it do
> > a better job of discarding malformed packets? Is the vendor better
about
> > supplying patches to new vulnerabilities? Can it do a better job
filtering
> > on source IP address? Does it do load-balancing? Are there other
services
> > on the same server IP address that do require stateful filtering?
>
>
> yup... I think roland and nick (he can correct me, roland I KNOW is
> saying this) are basically saying:
>
> permit tcp any any eq 80
> permit tcp any any eq 443
> deny ip any any
>
> is far, far better than state management in a firewall. Anything more
> complex and your firewall fails long before the 7206's
> interface/filter will :( Some folks would say you'd be better off
> doing some LB/filtering-in-software behind said router interface
> filter, I can't argue with that.
>
> > As I said, most of the time a dedicated DNS appliance doesn't benefit
from
> > firewall protection. Occasionally, though, it might.
>
> I suspect the cases where it MAY benefit are the 'lower packet rate,
> ping-o-death-type' attacks only though. Essentially 'use a proxy to
> remove unknown cruft' as a frontend to your more complex dns/web
> answering system, eh?
>
> under load though, high pps rate attacks/instances (victoria secret
> fashion-show sorts of things) your firewall/proxy is likely to die
> before the backend does ;(
>

Very refreshing tone of conversation. Normally I hear a chorus of "defense
in depth" blah when we should be talking about fundamental host / protocol
based robustness.... and matching risks with controls ...not boxes with
places on a network map.

It leads to: security is like an onion, it makes you cry

The ng stateful firewall is no firewall (tm)

I like https://www.opengroup.org/jericho/index.htm

Cb
> -chris
>
> >
> > --Steve Bellovin, https://www.cs.columbia.edu/~smb
> >
> >
> >
> >
> >
>


drew.weaver at thenap

Jan 18, 2012, 11:26 AM

Post #16 of 35 (456 views)
Permalink
RE: DNS Attacks [In reply to]
-----Original Message-----
From: Christopher Morrow [mailto:morrowc.lists [at] gmail]
Sent: Wednesday, January 18, 2012 11:43 AM
To: Steven Bellovin
Cc: nanog [at] nanog
Subject: Re: DNS Attacks

yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.

>>>>>

But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand other HTTP protocol based attacks?

(I'm being sarcastic but that is the argument you will hear).

Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =)

-Drew


ka at pacific

Jan 19, 2012, 7:54 AM

Post #17 of 35 (450 views)
Permalink
Re: DNS Attacks [In reply to]
On 1/18/2012 1:45 AM, Leigh Porter wrote:
>
>
> On 18 Jan 2012, at 05:06, "toor"<lists [at] 1337> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>>
>
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
>
> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
>

We are seeing this too, though we don't have the kind of exposure some
of the larger providers do. fwiw.. If for some reason, you can't use a
dedicated box for DNS and/or a simple acl to protect services on a box,
you can turn off connection tracking in iptables per-port using the
NOTRACK target.

iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTARGET

Ken


--
Ken Anderson


hrlinneweh at sbcglobal

Feb 18, 2012, 11:02 AM

Post #18 of 35 (384 views)
Permalink
Re: DNS Attacks [In reply to]
http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html


________________________________
From: toor <lists [at] 1337>
To: nanog [at] nanog
Sent: Tuesday, January 17, 2012 9:04 PM
Subject: DNS Attacks

Hi list,

I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up blank. I am completly
guessing these are possibly DNS amplification attacks but I am not
sure. Usually what I see is this:

- Attacks most commonly between the hours of 4AM-4PM UTC
- DNS queries appear to be for real domains that the DNS servers in
question are authoritive for (I can't really see any pattern there,
there are about 150,000 zones on the servers in question)
- From a range of IP's there will be an attack for approximately 5-10
minutes before stopping and then a break of 30 minutes or so before
another attack from a different IP range
- Every IP range has been from China

I have limited the number of queries that can be done to mitigate this
but its messing up my pretty netflow graphs due to the spikes in
flows/packets being sent.

Does anyone have any ideas what the reasoning behind this could be? I
would also be interested to hear from anyone else experiencing this
too.

I can provide IP ranges from where I am seeing the issue but it does
vary a lot between the attacks with the only pattern every time being
the source address is located in China. I read a thread earlier,
http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
thing I am seeing.

Thanks


Joel.Snyder at Opus1

Feb 18, 2012, 1:41 PM

Post #19 of 35 (391 views)
Permalink
Re: DNS Attacks [In reply to]
> http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html

Quoting the FBI:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

Solve said problem easily by destination NATing those IPs on 53/UDP/TCP
to your own recursive servers, or dump them on Google at 8.8.8.8 if
you're so inclined. Extra bonus result: NAT logs will show who needs a
pleasant email from customer service.

Or you could just let 'em[1] suffer, BoFH-style.

jms

[1] "'em" in this case is "your customer service reps" who will see a
'higher than normal call volume' should the FBI's warning mean anything.

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms [at] Opus1 http://www.opus1.com/jms


bonomi at mail

Feb 18, 2012, 2:29 PM

Post #20 of 35 (386 views)
Permalink
Re: DNS Attacks [In reply to]
Joel M Snyder <Joel.Snyder [at] Opus1> wrote;
>
> > http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html
>
> Quoting the FBI:
>
> 85.255.112.0 through 85.255.127.255
> 67.210.0.0 through 67.210.15.255
> 93.188.160.0 through 93.188.167.255
> 77.67.83.0 through 77.67.83.255
> 213.109.64.0 through 213.109.79.255
> 64.28.176.0 through 64.28.191.255
>
> Solve said problem easily by destination NATing those IPs on 53/UDP/TCP
> to your own recursive servers, or dump them on Google at 8.8.8.8 if
> you're so inclined. Extra bonus result: NAT logs will show who needs a
> pleasant email from customer service.

Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
query -- returns the address of a dedicated machine on your network set up
especially for this purpose. This special-purpose machine returns a
customized 'error message' for any/all 'standard' protocols -- one that
states that they are infected with the particular malware, that none of
their attempts at intnernet access will work until they get that malware
removed, that they need to contact a 'computer repair' business ("See the
Yellow pages") to get the problem dealt with, -and- that assistance with
such malware removal is -not- part your 'support' services. Lastly, add
a statement that any calls to -your- support staff will cause the customer's
account a fee of $xx -- just for repeating the above. Th special-purpose
machine logs all inbound connection attempts -- timestamp, source IP, and
protocol -- for matching against customer accounts, providing a provable
audit trail to support the 'penalty' charge, when users -do- call 'support'.
Optionally, you refer them to a 'paid consulting' division of your operation,
which provides additional services on a time-and-materials basis.

This approach is -not- particularly 'customer-friendly' in the short term,
but it -will- have long-term benefits for the customer -- they _will_ have
learned something about the risks of not 'practicing safe hex', and their
machine(s) will (well, _probably_) be safer/more secure in the future. Thus
reducing future problems for both the customer and the provider support desk.

> Or you could just let 'em[1] suffer, BoFH-style.
>
> [1] "'em" in this case is "your customer service reps" who will see a
> 'higher than normal call volume' should the FBI's warning mean anything.


ken.gilmour at gmail

Feb 19, 2012, 2:59 AM

Post #21 of 35 (378 views)
Permalink
Re: DNS Attacks [In reply to]
On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
>
> Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
> query -- returns the address of a dedicated machine on your network set up
> especially for this purpose.

What happens when the client sends a POST from a cached page on the end
user's machine? E.g. if they post login credentials. Of course, they'll get
the error page, but then you have confidential data in your logs and now
you have to protect highly confidential info, at least if you're in europe.


patrick at ianai

Feb 19, 2012, 3:59 AM

Post #22 of 35 (377 views)
Permalink
Re: DNS Attacks [In reply to]
On Feb 19, 2012, at 10:59, Ken Gilmour <ken.gilmour [at] gmail> wrote:
> On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
>>
>> Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
>> query -- returns the address of a dedicated machine on your network set up
>> especially for this purpose.
>
> What happens when the client sends a POST from a cached page on the end
> user's machine? E.g. if they post login credentials. Of course, they'll get
> the error page, but then you have confidential data in your logs and now
> you have to protect highly confidential info, at least if you're in europe.

It is possible to configure the web server not to log POSTed info.

--
TTFN,
patrick


jeroen at unfix

Feb 19, 2012, 4:02 AM

Post #23 of 35 (377 views)
Permalink
Re: DNS Attacks [In reply to]
On 2012-02-19 12:59 , Patrick W. Gilmore wrote:
> On Feb 19, 2012, at 10:59, Ken Gilmour <ken.gilmour [at] gmail> wrote:
>> On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
>>>
>>> Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
>>> query -- returns the address of a dedicated machine on your network set up
>>> especially for this purpose.
>>
>> What happens when the client sends a POST from a cached page on the end
>> user's machine? E.g. if they post login credentials. Of course, they'll get
>> the error page, but then you have confidential data in your logs and now
>> you have to protect highly confidential info, at least if you're in europe.
>
> It is possible to configure the web server not to log POSTed info.

Per default most webservers (Apache, nginx, etc) won't log POST
variables, GET variables will be logged (as they are part of the query)
but those should not contain any PII.

Greets,
Jeroen


Valdis.Kletnieks at vt

Feb 19, 2012, 6:23 AM

Post #24 of 35 (373 views)
Permalink
Re: DNS Attacks [In reply to]
On Sun, 19 Feb 2012 13:02:01 +0100, Jeroen Massar said:

> Per default most webservers (Apache, nginx, etc) won't log POST
> variables, GET variables will be logged (as they are part of the query)
> but those should not contain any PII.

Right. They shouldn't. But the security mailing lists have lots of
counter-examples from clue-challenged web developers.. Plan your logging
strategy accordingly (is there any safe answer here other than "disable
logging" or "log only timestamp and source IP"?)


bonomi at mail

Feb 19, 2012, 8:14 AM

Post #25 of 35 (377 views)
Permalink
Re: DNS Attacks [In reply to]
> From ken.gilmour [at] gmail Sun Feb 19 05:04:39 2012
> Date: Sun, 19 Feb 2012 11:59:37 +0100
> Subject: Re: DNS Attacks
> From: Ken Gilmour <ken.gilmour [at] gmail>
> To: Robert Bonomi <bonomi [at] mail>
> Cc: nanog [at] nanog
>
> On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
> >
> > Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
> > query -- returns the address of a dedicated machine on your network set up
> > especially for this purpose.
>
> What happens when the client sends a POST from a cached page on the end
> user's machine? E.g. if they post login credentials. Of course, they'll get
> the error page, but then you have confidential data in your logs and now
> you have to protect highly confidential info, at least if you're in europe.
>

*WHAT* 'confidential data' in which logs? <grin>

The aforementioned dedicated machine isn't a real web-server, or a real
'any other' server -- it is solely a special-purpose application machine,
When you connect to it on say, port 80, it doesn't log anything from the
port -- it just logs (1) the timestamp, and (2) the connecting IP address
(and _nothing_ else); then it copies out a previously prepared static file,
and disconnects.

You build a separae app that reads that logfile, matches IP ddress/timestamp
to a customer account, and feeds a message into the 'customer records' system
that this customer -has- been notified of this problem, and when, in case
they call for support.

If one is 'really' paranoid, the 'logfile' can be implemented as a 'pipe'
between the processes, so that the data never hits disk in the first place. ;)

I've got proof-of-concept code for a single program that handles HTTP (port
80), SMTP (port 25 and port 587), POP3 (port 110), IMAP2 & 4 (port 143), IMAP3
(port 220), TELNET (port 23), FTP (port 21), and NNTP (port 119), so far.
I'm planing to add IRC, and various SSL-based protocols as well.


ken.gilmour at gmail

Feb 19, 2012, 11:45 PM

Post #26 of 35 (225 views)
Permalink
Re: DNS Attacks [In reply to]
--
Sent from my smart phone. Please excuse my brevity
On Feb 19, 2012 4:10 p.m., "Robert Bonomi" <bonomi [at] mail> wrote:
>
> > From ken.gilmour [at] gmail Sun Feb 19 05:04:39 2012
> > Date: Sun, 19 Feb 2012 11:59:37 +0100
> > Subject: Re: DNS Attacks
> > From: Ken Gilmour <ken.gilmour [at] gmail>
> > To: Robert Bonomi <bonomi [at] mail>
> > Cc: nanog [at] nanog
> >
> > On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail>
wrote:
> > >
> > > Even better, nat to a 'bogon' DNS server -- one that -- regardless of
the
> > > query -- returns the address of a dedicated machine on your network
set up
> > > especially for this purpose.
> >
> > What happens when the client sends a POST from a cached page on the end
> > user's machine? E.g. if they post login credentials. Of course, they'll
get
> > the error page, but then you have confidential data in your logs and now
> > you have to protect highly confidential info, at least if you're in
europe.
> >
>
> *WHAT* 'confidential data' in which logs? <grin>
>
> The aforementioned dedicated machine isn't a real web-server, or a real
> 'any other' server -- it is solely a special-purpose application machine,
> When you connect to it on say, port 80, it doesn't log anything from the
> port -- it just logs (1) the timestamp, and (2) the connecting IP address
> (and _nothing_ else); then it copies out a previously prepared static
file,
> and disconnects.
>
> You build a separae app that reads that logfile, matches IP
ddress/timestamp
> to a customer account, and feeds a message into the 'customer records'
system
> that this customer -has- been notified of this problem, and when, in case
> they call for support.
>
> If one is 'really' paranoid, the 'logfile' can be implemented as a 'pipe'
> between the processes, so that the data never hits disk in the first
place. ;)
>
> I've got proof-of-concept code for a single program that handles HTTP
(port
> 80), SMTP (port 25 and port 587), POP3 (port 110), IMAP2 & 4 (port 143),
IMAP3
> (port 220), TELNET (port 23), FTP (port 21), and NNTP (port 119), so far.
> I'm planing to add IRC, and various SSL-based protocols as well.
>

So you're suggesting that the client sends a DNS request to one of the sink
holes, which is intercepted by an appliance via some sort of NAT and then
dropped? That's also illegal in Europe. You are denying users the right to
information.

Using a redirect to some sort of Web server (a weird sort of DNS poisoning)
will at least inform a user that they're infected. But then that opens
another can of worms. I am imagining some sort of Facebook style "free
notification system" free to what extent? It also trains users to accept
foreign security advice aka fake AV warnings.


oscar.vives at gmail

Feb 20, 2012, 7:38 AM

Post #27 of 35 (224 views)
Permalink
Re: DNS Attacks [In reply to]
I am a mere user, so I all this stuff sounds to me like giberish.

The right solution is to capture the request to these DNS servers, and
send to a custom server with a static message "warning.html". Nothing
fancy. With a phone number to "get out of jail", so people can call
to "op-out" of this thing, so can browse the internet to search for a
solution.

This or do nothing.

http://www.guardian.co.uk/world/2012/jan/18/iran-death-sentence-porn-programmer
Interpol helps Iran capture a programmer for creating porn sites.

Now, if the Interpol want you to block a DNS server, or worse, to spy
on users conecting to a DNS server. Will you help? doing nothing is
also a good option, methinks. Start medling, redirecting dns trafic,
spyiing on the user... all these things are dirty and can't end well.

(note, of course, I am a user, so I have a user opinion. )



--
--
ℱin del ℳensaje.


Valdis.Kletnieks at vt

Feb 20, 2012, 9:00 AM

Post #28 of 35 (225 views)
Permalink
Re: DNS Attacks [In reply to]
On Mon, 20 Feb 2012 16:38:00 +0100, Tei said:
> The right solution is to capture the request to these DNS servers, and
> send to a custom server with a static message "warning.html".

Not all DNS lookups are for websites. The lookup could be for NTP, or SMTP,
or ssh, or a World of Warcraft server, or....


morrowc.lists at gmail

Feb 20, 2012, 9:55 AM

Post #29 of 35 (229 views)
Permalink
Re: DNS Attacks [In reply to]
On Mon, Feb 20, 2012 at 12:00 PM, <Valdis.Kletnieks [at] vt> wrote:
> On Mon, 20 Feb 2012 16:38:00 +0100, Tei said:
>> The right solution is to capture the request to these DNS servers, and
>> send to a custom server with a static message  "warning.html".
>
> Not all DNS lookups are for websites.  The lookup could be for NTP, or SMTP,
> or ssh, or a World of Warcraft server, or....

thank you.


morrowc.lists at gmail

Feb 20, 2012, 9:57 AM

Post #30 of 35 (225 views)
Permalink
Re: DNS Attacks [In reply to]
On Mon, Feb 20, 2012 at 10:38 AM, Tei <oscar.vives [at] gmail> wrote:
> I am a mere user, so I all this stuff sounds to me like giberish.
>
> The right solution is to capture the request to these DNS servers, and
> send to a custom server with a static message  "warning.html". Nothing
> fancy.   With a phone number to "get out of jail", so people can call
> to "op-out" of this thing, so can browse the internet to search for a
> solution.


in this case, the fbi/dns-changer case, the information is pretty
straightforward for theisp folk... 'client machine makes dns queries
not to the isp dns server (or one of several free dns services), but
to a known bad set of netblocks'

the easy fix is to just stand up (forever, ha!) dns servers on the ip
blocks inside the ISP's network, done and done... they can then start
notifying the customers via mail/email/carrier-pidgeon that they are
infected, along with instructions about how to get un-infected.

-chris


joelja at bogus

Feb 20, 2012, 1:00 PM

Post #31 of 35 (224 views)
Permalink
Re: DNS Attacks [In reply to]
On 2/20/12 09:57 , Christopher Morrow wrote:
> On Mon, Feb 20, 2012 at 10:38 AM, Tei <oscar.vives [at] gmail> wrote:
>> I am a mere user, so I all this stuff sounds to me like giberish.
>>
>> The right solution is to capture the request to these DNS servers, and
>> send to a custom server with a static message "warning.html". Nothing
>> fancy. With a phone number to "get out of jail", so people can call
>> to "op-out" of this thing, so can browse the internet to search for a
>> solution.
>
>
> in this case, the fbi/dns-changer case, the information is pretty
> straightforward for theisp folk... 'client machine makes dns queries
> not to the isp dns server (or one of several free dns services), but
> to a known bad set of netblocks'
>
> the easy fix is to just stand up (forever, ha!) dns servers on the ip
> blocks inside the ISP's network, done and done...

given the size and distribution of the ip blocks in question I doubt
very much that they will go unused forever...

from a previous message in this thread.

Quoting the FBI:
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

which map quite nice to various rir prefix assigments. it's almost like
someone cribbed the whois inetnum field when they loaded their scattergun...

inetnum: 85.255.112.0 - 85.255.127.255

while I have no doubt that some of those prefixes my be run by rather
than simply host to bad actors, if they're returned to rirs, they will
be assigned again, so a static filter policy will return to bite us
again like it always does.

> they can then start
> notifying the customers via mail/email/carrier-pidgeon that they are
> infected, along with instructions about how to get un-infected.
>
> -chris
>
>


morrowc.lists at gmail

Feb 21, 2012, 2:05 PM

Post #32 of 35 (208 views)
Permalink
Re: DNS Attacks [In reply to]
On Mon, Feb 20, 2012 at 4:00 PM, Joel jaeggli <joelja [at] bogus> wrote:

> be assigned again, so a static filter policy will return to bite us
> again like it always does.

sure, so you are saying there's a timelimit on how long the supposed
ISP can run this infrastructure... and that they have until then to
lower their loss rate(s) when customers are cutoff and call their
support center because: "The Intertubes are down!".

sounds accurate to me... of course, they've already been getting
notifications of infected folks, so hopefully they have a jump on the
problem already? :)

it's wishful thinking monday!
-chris


mysidia at gmail

Feb 21, 2012, 2:29 PM

Post #33 of 35 (210 views)
Permalink
Re: DNS Attacks [In reply to]
On Sun, Feb 19, 2012 at 4:59 AM, Ken Gilmour <ken.gilmour [at] gmail> wrote:
> What happens when the client sends a POST from a cached page on the end
> user's machine? E.g. if they post login credentials. Of course, they'll get
> the error page, but then you have confidential data in your logs and now
> you have to protect highly confidential info, at least if you're in europe.

Either you don't log the data on the webserver, or you notify the
user that the POST form data has now been posted, and display the link
to the public web page where their posted data now appears, on the
error page.

Once your user has shared "confidential" information unsolicited with
an unknown third party, and the general public, the information's
confidentiality was spoiled by the act of posting, regardless of the
content of the information

--
-JH


Valdis.Kletnieks at vt

Feb 21, 2012, 3:15 PM

Post #34 of 35 (207 views)
Permalink
Re: DNS Attacks [In reply to]
On Tue, 21 Feb 2012 16:29:04 CST, Jimmy Hess said:
> Once your user has shared "confidential" information unsolicited with
> an unknown third party, and the general public, the information's
> confidentiality was spoiled by the act of posting, regardless of the
> content of the information

I see lawyers booking their vacations in Tahiti now.....


hrlinneweh at sbcglobal

Feb 21, 2012, 6:17 PM

Post #35 of 35 (211 views)
Permalink
Re: DNS Attacks [In reply to]
Here is a repeat
http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/

-henry
________________________________
From: "Valdis.Kletnieks [at] vt" <Valdis.Kletnieks [at] vt>
To: Jimmy Hess <mysidia [at] gmail>
Cc: nanog [at] nanog
Sent: Tuesday, February 21, 2012 3:15 PM
Subject: Re: DNS Attacks

On Tue, 21 Feb 2012 16:29:04 CST, Jimmy Hess said:
> Once your user has shared "confidential" information unsolicited with
> an unknown third party, and the general public,   the information's
> confidentiality was spoiled by the act of posting, regardless of the
> content of the information

I see lawyers booking their vacations in Tahiti now.....

NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.