Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

DNS Attacks

  

 
First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


lists at 1337

Jan 17, 2012, 9:04 PM

Post #1 of 35 (491 views)
Permalink
DNS Attacks
Hi list,

I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up blank. I am completly
guessing these are possibly DNS amplification attacks but I am not
sure. Usually what I see is this:

- Attacks most commonly between the hours of 4AM-4PM UTC
- DNS queries appear to be for real domains that the DNS servers in
question are authoritive for (I can't really see any pattern there,
there are about 150,000 zones on the servers in question)
- From a range of IP's there will be an attack for approximately 5-10
minutes before stopping and then a break of 30 minutes or so before
another attack from a different IP range
- Every IP range has been from China

I have limited the number of queries that can be done to mitigate this
but its messing up my pretty netflow graphs due to the spikes in
flows/packets being sent.

Does anyone have any ideas what the reasoning behind this could be? I
would also be interested to hear from anyone else experiencing this
too.

I can provide IP ranges from where I am seeing the issue but it does
vary a lot between the attacks with the only pattern every time being
the source address is located in China. I read a thread earlier,
http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
thing I am seeing.

Thanks


marka at isc

Jan 17, 2012, 9:15 PM

Post #2 of 35 (478 views)
Permalink
Re: DNS Attacks [In reply to]
In message <CALjCmpma-gXUerPUfeAWtgZn4qtVkxJTaEFL3D9Gc0OTvS96oQ [at] mail>,
toor writes:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks

Most of the time you will be being used as a amplifier and the
source traffic is spoofed. The short periods are so that it is
harder to trace the compromised machines.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc


morrowc.lists at gmail

Jan 17, 2012, 9:34 PM

Post #3 of 35 (477 views)
Permalink
Re: DNS Attacks [In reply to]
On Wed, Jan 18, 2012 at 12:04 AM, toor <lists [at] 1337> wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a

china is a big country....

> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)

yup

> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range

marka noted that the source is really the thing being attacked, that
seems to be the case in the incidents I've seen (and which I"ve seen
other folks also make note of, over the last ~2-3 months)

> - Every IP range has been from China
>

yup, probably over .cn peer links? if you have them...

> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.

yea... you can't really limit queries, unless you can react in almost
real-time to drop the queries on the floor before your servers see
them :( or capacity-plan for the spikes, which is... rough.

>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>

lots of folks are chattering privately about this, it's something in
china attacking chinese users.The BW and PPS rates involved are likely
quite high...

> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>

it probably is... if you run decently large auth complexes with lots
of domains, welcome to the party.

-chris

> Thanks
>


leigh.porter at ukbroadband

Jan 17, 2012, 11:45 PM

Post #4 of 35 (477 views)
Permalink
Re: DNS Attacks [In reply to]
On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:

> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>

At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).

It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.

--
Leigh Porter


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


rdobbins at arbor

Jan 18, 2012, 12:05 AM

Post #5 of 35 (474 views)
Permalink
Re: DNS Attacks [In reply to]
On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote:

> The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).


DNS servers (nor any other kind of server, for that matter) should never be placed behind stateful firewalls - the largest firewall one can build or buy will choke under even moderate DDoS attacks due to state-table exhaustion:

<https://files.me.com/roland.dobbins/679xji>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins [at] arbor> // <http://www.arbornetworks.com>

The basis of optimism is sheer terror.

-- Oscar Wilde


joelja at bogus

Jan 18, 2012, 12:35 AM

Post #6 of 35 (471 views)
Permalink
Re: DNS Attacks [In reply to]
On 1/17/12 23:45 , Leigh Porter wrote:
>
>
> On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>>
>
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).

Given the the pps rate and the cps rate of DNS requests are rather
similar one expects the value of inspecting unsolicited queries to your
nameserver to be rather low.

> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
>


dennis at justipit

Jan 18, 2012, 4:53 AM

Post #7 of 35 (467 views)
Permalink
Re: DNS Attacks [In reply to]
I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list.


Leigh Porter <leigh.porter [at] ukbroadband> wrote:

>
>
>On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS queries
>> coming from various IP ranges in China. I have been trying to find a
>> pattern in the attacks but so far I have come up blank. I am completly
>> guessing these are possibly DNS amplification attacks but I am not
>> sure. Usually what I see is this:
>>
>
>At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
>
>It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
>
>--
>Leigh Porter
>
>
>______________________________________________________________________
>This email has been scanned by the Symantec Email Security.cloud service.
>For more information please visit http://www.symanteccloud.com
>______________________________________________________________________
>
>


virendra.rode at gmail

Jan 18, 2012, 5:57 AM

Post #8 of 35 (467 views)
Permalink
Re: DNS Attacks [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi -

We've been victims of these attacks many a times and more recently
towards our customer dns servers which was rated at ~ 4gbps for a
duration of 30mins.

Tracking the source of an attack is simplified when the source is more
likely to be "valid".

The nature of these attacks for us was a combination of amplification
and spoofed, however implementing anti-spoofing (uRFP) specially bcp38
is a good idea not saying its a fix but certainly the attack methodology
will significantly lessen.

As Matt Katz put it rightly so, "Distributed denial of service can only
be solved with distributed delivery of service".


regards,
/virendra

On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-----END PGP SIGNATURE-----


drew.weaver at thenap

Jan 18, 2012, 6:01 AM

Post #9 of 35 (463 views)
Permalink
RE: DNS Attacks [In reply to]
We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago.

Hopefully the particular network has fixed that issue now, but it was a banner day to be sure.

Thanks,
-Drew


-----Original Message-----
From: virendra rode [mailto:virendra.rode [at] gmail]
Sent: Wednesday, January 18, 2012 8:58 AM
To: nanog [at] nanog
Subject: Re: DNS Attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi -

We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins.

Tracking the source of an attack is simplified when the source is more likely to be "valid".

The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen.

As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service".


regards,
/virendra

On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-----END PGP SIGNATURE-----


leigh.porter at ukbroadband

Jan 18, 2012, 6:18 AM

Post #10 of 35 (460 views)
Permalink
RE: DNS Attacks [In reply to]
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)

--
Leigh Porter


> -----Original Message-----
> From: Dennis [mailto:dennis [at] justipit]
> Sent: 18 January 2012 12:55
> To: Leigh Porter; toor
> Cc: nanog [at] nanog
> Subject: Re: DNS Attacks
>
> I agree with Roland on the firewall placement. I add that the attack
> would have likely succeeded to exhaust the servers. There is alot of
> recent ddos activity on DNS with what looks like legitimate queries.
> You should also look at some DOS/ application level protections;
> Radware and Arbor top the list.
>
>
> Leigh Porter <leigh.porter [at] ukbroadband> wrote:
>
> >
> >
> >On 18 Jan 2012, at 05:06, "toor" <lists [at] 1337> wrote:
> >
> >> Hi list,
> >>
> >> I am wondering if anyone else has seen a large amount of DNS queries
> >> coming from various IP ranges in China. I have been trying to find a
> >> pattern in the attacks but so far I have come up blank. I am
> completly
> >> guessing these are possibly DNS amplification attacks but I am not
> >> sure. Usually what I see is this:
> >>
> >
> >At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
> >
> >It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS, a
> web server and an open SSH port.
> >
> >--
> >Leigh Porter
> >
> >
> >______________________________________________________________________
> >This email has been scanned by the Symantec Email Security.cloud
> service.
> >For more information please visit http://www.symanteccloud.com
> >______________________________________________________________________
> >
> >
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


nick at foobar

Jan 18, 2012, 7:05 AM

Post #11 of 35 (461 views)
Permalink
Re: DNS Attacks [In reply to]
On 18/01/2012 14:18, Leigh Porter wrote:
> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
> as it is not *my* firewalls I really don't care what they do ;-)

As you're posting here, it looks like it's become your problem. :-D

Seriously, though, there is no value to maintaining state for DNS queries.
You would be much better off to put your firewall production interfaces on
a routed port on a hardware router so that you can implement ASIC packet
filtering. This will operate at wire speed without dumping you into the
colloquial poo every time someone decides to take out your critical
infrastructure.

Nick


morrowc.lists at gmail

Jan 18, 2012, 7:41 AM

Post #12 of 35 (466 views)
Permalink
Re: DNS Attacks [In reply to]
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar> wrote:
> On 18/01/2012 14:18, Leigh Porter wrote:
>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>> as it is not *my* firewalls I really don't care what they do ;-)
>
> As you're posting here, it looks like it's become your problem. :-D
>
> Seriously, though, there is no value to maintaining state for DNS queries.
>  You would be much better off to put your firewall production interfaces on
> a routed port on a hardware router so that you can implement ASIC packet
> filtering.  This will operate at wire speed without dumping you into the
> colloquial poo every time someone decides to take out your critical
> infrastructure.

I get the feeling that leigh had implemented this against his own
advice for a client... that he's onboard with 'putting a firewall in
front of a dns server is dumb' meme...


smb at cs

Jan 18, 2012, 8:34 AM

Post #13 of 35 (458 views)
Permalink
Re: DNS Attacks [In reply to]
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:

> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar> wrote:
>> On 18/01/2012 14:18, Leigh Porter wrote:
>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>>> as it is not *my* firewalls I really don't care what they do ;-)
>>
>> As you're posting here, it looks like it's become your problem. :-D
>>
>> Seriously, though, there is no value to maintaining state for DNS queries.
>> You would be much better off to put your firewall production interfaces on
>> a routed port on a hardware router so that you can implement ASIC packet
>> filtering. This will operate at wire speed without dumping you into the
>> colloquial poo every time someone decides to take out your critical
>> infrastructure.
>
> I get the feeling that leigh had implemented this against his own
> advice for a client... that he's onboard with 'putting a firewall in
> front of a dns server is dumb' meme...

In principle, this is certainly correct (and I've often said the same thing
about web servers); in practice, though, a lot depends on the specs. For
example: can the firewall discard useless requests more quickly? Does it do
a better job of discarding malformed packets? Is the vendor better about
supplying patches to new vulnerabilities? Can it do a better job filtering
on source IP address? Does it do load-balancing? Are there other services
on the same server IP address that do require stateful filtering?

As I said, most of the time a dedicated DNS appliance doesn't benefit from
firewall protection. Occasionally, though, it might.


--Steve Bellovin, https://www.cs.columbia.edu/~smb


morrowc.lists at gmail

Jan 18, 2012, 8:42 AM

Post #14 of 35 (455 views)
Permalink
Re: DNS Attacks [In reply to]
On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin <smb [at] cs> wrote:
>
> On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
>
>> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar> wrote:
>>> On 18/01/2012 14:18, Leigh Porter wrote:
>>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>>>> as it is not *my* firewalls I really don't care what they do ;-)
>>>
>>> As you're posting here, it looks like it's become your problem. :-D
>>>
>>> Seriously, though, there is no value to maintaining state for DNS queries.
>>>  You would be much better off to put your firewall production interfaces on
>>> a routed port on a hardware router so that you can implement ASIC packet
>>> filtering.  This will operate at wire speed without dumping you into the
>>> colloquial poo every time someone decides to take out your critical
>>> infrastructure.
>>
>> I get the feeling that leigh had implemented this against his own
>> advice for a client... that he's onboard with 'putting a firewall in
>> front of a dns server is dumb' meme...
>
> In principle, this is certainly correct (and I've often said the same thing
> about web servers); in practice, though, a lot depends on the specs.  For
> example: can the firewall discard useless requests more quickly?  Does it do
> a better job of discarding malformed packets?  Is the vendor better about
> supplying patches to new vulnerabilities?  Can it do a better job filtering
> on source IP address?  Does it do load-balancing?  Are there other services
> on the same server IP address that do require stateful filtering?


yup... I think roland and nick (he can correct me, roland I KNOW is
saying this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more
complex and your firewall fails long before the 7206's
interface/filter will :( Some folks would say you'd be better off
doing some LB/filtering-in-software behind said router interface
filter, I can't argue with that.

> As I said, most of the time a dedicated DNS appliance doesn't benefit from
> firewall protection.  Occasionally, though, it might.

I suspect the cases where it MAY benefit are the 'lower packet rate,
ping-o-death-type' attacks only though. Essentially 'use a proxy to
remove unknown cruft' as a frontend to your more complex dns/web
answering system, eh?

under load though, high pps rate attacks/instances (victoria secret
fashion-show sorts of things) your firewall/proxy is likely to die
before the backend does ;(

-chris

>
>                --Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>


cb.list6 at gmail

Jan 18, 2012, 9:15 AM

Post #15 of 35 (459 views)
Permalink
Re: DNS Attacks [In reply to]
On Jan 18, 2012 8:43 AM, "Christopher Morrow" <morrowc.lists [at] gmail>
wrote:
>
> On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin <smb [at] cs>
wrote:
> >
> > On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
> >
> >> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick [at] foobar>
wrote:
> >>> On 18/01/2012 14:18, Leigh Porter wrote:
> >>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As
long
> >>>> as it is not *my* firewalls I really don't care what they do ;-)
> >>>
> >>> As you're posting here, it looks like it's become your problem. :-D
> >>>
> >>> Seriously, though, there is no value to maintaining state for DNS
queries.
> >>> You would be much better off to put your firewall production
interfaces on
> >>> a routed port on a hardware router so that you can implement ASIC
packet
> >>> filtering. This will operate at wire speed without dumping you into
the
> >>> colloquial poo every time someone decides to take out your critical
> >>> infrastructure.
> >>
> >> I get the feeling that leigh had implemented this against his own
> >> advice for a client... that he's onboard with 'putting a firewall in
> >> front of a dns server is dumb' meme...
> >
> > In principle, this is certainly correct (and I've often said the same
thing
> > about web servers); in practice, though, a lot depends on the specs.
For
> > example: can the firewall discard useless requests more quickly? Does
it do
> > a better job of discarding malformed packets? Is the vendor better
about
> > supplying patches to new vulnerabilities? Can it do a better job
filtering
> > on source IP address? Does it do load-balancing? Are there other
services
> > on the same server IP address that do require stateful filtering?
>
>
> yup... I think roland and nick (he can correct me, roland I KNOW is
> saying this) are basically saying:
>
> permit tcp any any eq 80
> permit tcp any any eq 443
> deny ip any any
>
> is far, far better than state management in a firewall. Anything more
> complex and your firewall fails long before the 7206's
> interface/filter will :( Some folks would say you'd be better off
> doing some LB/filtering-in-software behind said router interface
> filter, I can't argue with that.
>
> > As I said, most of the time a dedicated DNS appliance doesn't benefit
from
> > firewall protection. Occasionally, though, it might.
>
> I suspect the cases where it MAY benefit are the 'lower packet rate,
> ping-o-death-type' attacks only though. Essentially 'use a proxy to
> remove unknown cruft' as a frontend to your more complex dns/web
> answering system, eh?
>
> under load though, high pps rate attacks/instances (victoria secret
> fashion-show sorts of things) your firewall/proxy is likely to die
> before the backend does ;(
>

Very refreshing tone of conversation. Normally I hear a chorus of "defense
in depth" blah when we should be talking about fundamental host / protocol
based robustness.... and matching risks with controls ...not boxes with
places on a network map.

It leads to: security is like an onion, it makes you cry

The ng stateful firewall is no firewall (tm)

I like https://www.opengroup.org/jericho/index.htm

Cb
> -chris
>
> >
> > --Steve Bellovin, https://www.cs.columbia.edu/~smb
> >
> >
> >
> >
> >
>


drew.weaver at thenap

Jan 18, 2012, 11:26 AM

Post #16 of 35 (458 views)
Permalink
RE: DNS Attacks [In reply to]
-----Original Message-----
From: Christopher Morrow [mailto:morrowc.lists [at] gmail]
Sent: Wednesday, January 18, 2012 11:43 AM
To: Steven Bellovin
Cc: nanog [at] nanog
Subject: Re: DNS Attacks

yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.

>>>>>

But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand other HTTP protocol based attacks?

(I'm being sarcastic but that is the argument you will hear).

Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =)

-Drew


ka at pacific

Jan 19, 2012, 7:54 AM

Post #17 of 35 (451 views)
Permalink
Re: DNS Attacks [In reply to]
On 1/18/2012 1:45 AM, Leigh Porter wrote:
>
>
> On 18 Jan 2012, at 05:06, "toor"<lists [at] 1337> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>>
>
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
>
> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
>

We are seeing this too, though we don't have the kind of exposure some
of the larger providers do. fwiw.. If for some reason, you can't use a
dedicated box for DNS and/or a simple acl to protect services on a box,
you can turn off connection tracking in iptables per-port using the
NOTRACK target.

iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTARGET

Ken


--
Ken Anderson


hrlinneweh at sbcglobal

Feb 18, 2012, 11:02 AM

Post #18 of 35 (385 views)
Permalink
Re: DNS Attacks [In reply to]
http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html


________________________________
From: toor <lists [at] 1337>
To: nanog [at] nanog
Sent: Tuesday, January 17, 2012 9:04 PM
Subject: DNS Attacks

Hi list,

I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up blank. I am completly
guessing these are possibly DNS amplification attacks but I am not
sure. Usually what I see is this:

- Attacks most commonly between the hours of 4AM-4PM UTC
- DNS queries appear to be for real domains that the DNS servers in
question are authoritive for (I can't really see any pattern there,
there are about 150,000 zones on the servers in question)
- From a range of IP's there will be an attack for approximately 5-10
minutes before stopping and then a break of 30 minutes or so before
another attack from a different IP range
- Every IP range has been from China

I have limited the number of queries that can be done to mitigate this
but its messing up my pretty netflow graphs due to the spikes in
flows/packets being sent.

Does anyone have any ideas what the reasoning behind this could be? I
would also be interested to hear from anyone else experiencing this
too.

I can provide IP ranges from where I am seeing the issue but it does
vary a lot between the attacks with the only pattern every time being
the source address is located in China. I read a thread earlier,
http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
thing I am seeing.

Thanks


Joel.Snyder at Opus1

Feb 18, 2012, 1:41 PM

Post #19 of 35 (392 views)
Permalink
Re: DNS Attacks [In reply to]
> http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html

Quoting the FBI:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

Solve said problem easily by destination NATing those IPs on 53/UDP/TCP
to your own recursive servers, or dump them on Google at 8.8.8.8 if
you're so inclined. Extra bonus result: NAT logs will show who needs a
pleasant email from customer service.

Or you could just let 'em[1] suffer, BoFH-style.

jms

[1] "'em" in this case is "your customer service reps" who will see a
'higher than normal call volume' should the FBI's warning mean anything.

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms [at] Opus1 http://www.opus1.com/jms


bonomi at mail

Feb 18, 2012, 2:29 PM

Post #20 of 35 (387 views)
Permalink
Re: DNS Attacks [In reply to]
Joel M Snyder <Joel.Snyder [at] Opus1> wrote;
>
> > http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html
>
> Quoting the FBI:
>
> 85.255.112.0 through 85.255.127.255
> 67.210.0.0 through 67.210.15.255
> 93.188.160.0 through 93.188.167.255
> 77.67.83.0 through 77.67.83.255
> 213.109.64.0 through 213.109.79.255
> 64.28.176.0 through 64.28.191.255
>
> Solve said problem easily by destination NATing those IPs on 53/UDP/TCP
> to your own recursive servers, or dump them on Google at 8.8.8.8 if
> you're so inclined. Extra bonus result: NAT logs will show who needs a
> pleasant email from customer service.

Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
query -- returns the address of a dedicated machine on your network set up
especially for this purpose. This special-purpose machine returns a
customized 'error message' for any/all 'standard' protocols -- one that
states that they are infected with the particular malware, that none of
their attempts at intnernet access will work until they get that malware
removed, that they need to contact a 'computer repair' business ("See the
Yellow pages") to get the problem dealt with, -and- that assistance with
such malware removal is -not- part your 'support' services. Lastly, add
a statement that any calls to -your- support staff will cause the customer's
account a fee of $xx -- just for repeating the above. Th special-purpose
machine logs all inbound connection attempts -- timestamp, source IP, and
protocol -- for matching against customer accounts, providing a provable
audit trail to support the 'penalty' charge, when users -do- call 'support'.
Optionally, you refer them to a 'paid consulting' division of your operation,
which provides additional services on a time-and-materials basis.

This approach is -not- particularly 'customer-friendly' in the short term,
but it -will- have long-term benefits for the customer -- they _will_ have
learned something about the risks of not 'practicing safe hex', and their
machine(s) will (well, _probably_) be safer/more secure in the future. Thus
reducing future problems for both the customer and the provider support desk.

> Or you could just let 'em[1] suffer, BoFH-style.
>
> [1] "'em" in this case is "your customer service reps" who will see a
> 'higher than normal call volume' should the FBI's warning mean anything.


ken.gilmour at gmail

Feb 19, 2012, 2:59 AM

Post #21 of 35 (380 views)
Permalink
Re: DNS Attacks [In reply to]
On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
>
> Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
> query -- returns the address of a dedicated machine on your network set up
> especially for this purpose.

What happens when the client sends a POST from a cached page on the end
user's machine? E.g. if they post login credentials. Of course, they'll get
the error page, but then you have confidential data in your logs and now
you have to protect highly confidential info, at least if you're in europe.


patrick at ianai

Feb 19, 2012, 3:59 AM

Post #22 of 35 (379 views)
Permalink
Re: DNS Attacks [In reply to]
On Feb 19, 2012, at 10:59, Ken Gilmour <ken.gilmour [at] gmail> wrote:
> On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
>>
>> Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
>> query -- returns the address of a dedicated machine on your network set up
>> especially for this purpose.
>
> What happens when the client sends a POST from a cached page on the end
> user's machine? E.g. if they post login credentials. Of course, they'll get
> the error page, but then you have confidential data in your logs and now
> you have to protect highly confidential info, at least if you're in europe.

It is possible to configure the web server not to log POSTed info.

--
TTFN,
patrick


jeroen at unfix

Feb 19, 2012, 4:02 AM

Post #23 of 35 (379 views)
Permalink
Re: DNS Attacks [In reply to]
On 2012-02-19 12:59 , Patrick W. Gilmore wrote:
> On Feb 19, 2012, at 10:59, Ken Gilmour <ken.gilmour [at] gmail> wrote:
>> On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
>>>
>>> Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
>>> query -- returns the address of a dedicated machine on your network set up
>>> especially for this purpose.
>>
>> What happens when the client sends a POST from a cached page on the end
>> user's machine? E.g. if they post login credentials. Of course, they'll get
>> the error page, but then you have confidential data in your logs and now
>> you have to protect highly confidential info, at least if you're in europe.
>
> It is possible to configure the web server not to log POSTed info.

Per default most webservers (Apache, nginx, etc) won't log POST
variables, GET variables will be logged (as they are part of the query)
but those should not contain any PII.

Greets,
Jeroen


Valdis.Kletnieks at vt

Feb 19, 2012, 6:23 AM

Post #24 of 35 (374 views)
Permalink
Re: DNS Attacks [In reply to]
On Sun, 19 Feb 2012 13:02:01 +0100, Jeroen Massar said:

> Per default most webservers (Apache, nginx, etc) won't log POST
> variables, GET variables will be logged (as they are part of the query)
> but those should not contain any PII.

Right. They shouldn't. But the security mailing lists have lots of
counter-examples from clue-challenged web developers.. Plan your logging
strategy accordingly (is there any safe answer here other than "disable
logging" or "log only timestamp and source IP"?)


bonomi at mail

Feb 19, 2012, 8:14 AM

Post #25 of 35 (378 views)
Permalink
Re: DNS Attacks [In reply to]
> From ken.gilmour [at] gmail Sun Feb 19 05:04:39 2012
> Date: Sun, 19 Feb 2012 11:59:37 +0100
> Subject: Re: DNS Attacks
> From: Ken Gilmour <ken.gilmour [at] gmail>
> To: Robert Bonomi <bonomi [at] mail>
> Cc: nanog [at] nanog
>
> On Feb 18, 2012 10:24 PM, "Robert Bonomi" <bonomi [at] mail> wrote:
> >
> > Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
> > query -- returns the address of a dedicated machine on your network set up
> > especially for this purpose.
>
> What happens when the client sends a POST from a cached page on the end
> user's machine? E.g. if they post login credentials. Of course, they'll get
> the error page, but then you have confidential data in your logs and now
> you have to protect highly confidential info, at least if you're in europe.
>

*WHAT* 'confidential data' in which logs? <grin>

The aforementioned dedicated machine isn't a real web-server, or a real
'any other' server -- it is solely a special-purpose application machine,
When you connect to it on say, port 80, it doesn't log anything from the
port -- it just logs (1) the timestamp, and (2) the connecting IP address
(and _nothing_ else); then it copies out a previously prepared static file,
and disconnects.

You build a separae app that reads that logfile, matches IP ddress/timestamp
to a customer account, and feeds a message into the 'customer records' system
that this customer -has- been notified of this problem, and when, in case
they call for support.

If one is 'really' paranoid, the 'logfile' can be implemented as a 'pipe'
between the processes, so that the data never hits disk in the first place. ;)

I've got proof-of-concept code for a single program that handles HTTP (port
80), SMTP (port 25 and port 587), POP3 (port 110), IMAP2 & 4 (port 143), IMAP3
(port 220), TELNET (port 23), FTP (port 21), and NNTP (port 119), so far.
I'm planing to add IRC, and various SSL-based protocols as well.

First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.