Krebs on Security booted off Akamai network after DDoS attack proves pricey

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <ED450BED-5C57-4B90-A8BD-7160015B893A at puck.nether.net>, Jared Mauch writes:
>
> > On Sep 27, 2016, at 12:43 AM, Mark Andrews <marka at isc.org> wrote:
> >
> > Why not?  You call a washing machine mechanic when the washing
> > machine plays up.  This is not conceptually different.
>
> Mark,
>
> Your logic is infallible here, but the equivalencies are not.  If I
> drive on the road and it’s bumpy, I would complain to the road people,
> but some people will take their car to the shop and says it shakes.
>
> When you are a toll-free call away from a complaint, often this barrier
> of proof is quite high.  I recall something that Vijay said when he was
> still at AOL, if the customer phones in for support they lost all profit
> on the customer for the lifetime of the customer.
>
> Given that most people make decisions based on lowest cost (which isn’t
> always lowest or best due to marketing, promos, etc) the barrier for
> burden
> of proof is set such that a carrier must prove to a non-technical user
> it’s
> their fault.
>
> This proof is tough, not impossible, but look at your EDNS project, the
> problems are real and often can’t be easily addressed.

Actually, EDNS shows they can be addressed.

Firewall vendors are changing the defaults to allow through all
packets that match the test classes.

DNS vendors are fixing their products to properly handle packets
with EDNS extension.

DNS hosters are fixing their deployed firewalls and servers.

Soon I'll be asking, my local opposition MP if she can ask why the
DNS servers for *.gov.au aren't compliant with the standard after
reporting to the DNS operators that they are broken.  I suspect she
will have fun with having more material to fling around.

I'm having to reduce the parallelism of the test runs because
the packets are being answered.

Fixing EDNS is basically a education issue.  Raise the awareness
until it becomes something one can't ignore.  Go look at the TLD
graphs.  Almost all the TLD operators have fixed their firewalls /
servers.

If Microsoft and Go Daddy fix their servers most of the incorrect
echoing EDNS options and EDNS flags will disappear.  Both have been
informed.  Microsoft about 2 years ago when we let them know that
their servers have issues with EDNS, this included both the servers
they ship in Windows and the servers answering DNS queries for
Microsoft domains.  They where reminded a year ago.  Go Daddy was
informed very recently (via email).

Note that COOKIE is echoed.  Also you can't report this to Microsoft
using the email address listed below which was designed for reporting
issues like this.  Microsoft wants you to create a account or use
twitter (which also requires an account to be created).

You will note the DNS COOKIES are on by default.  BIND 9.11.0 will
be sending its queries with a DNS COOKIE option present.  All your
servers need to cope.

% dig boimi.gov. @ns1-06.azure-dns.com soa

; <<>> DiG 9.11.0rc2 <<>> boimi.gov. @ns1-06.azure-dns.com soa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54172
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: ddcbdd73de5d5ef8 (echoed)
;; QUESTION SECTION:
;boimi.gov.			IN	SOA

;; ANSWER SECTION:
boimi.gov.		3600	IN	SOA	ns1-06.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300

;; ADDITIONAL SECTION:
ns1-06.azure-dns.com.	3600	IN	A	40.90.4.6

;; Query time: 141 msec
;; SERVER: 40.90.4.6#53(40.90.4.6)
;; WHEN: Wed Sep 28 07:11:15 EST 2016
;; MSG SIZE  rcvd: 152

% 


% dig microsoft.com @ns1.msft.net

; <<>> DiG 9.11.0rc2 <<>> microsoft.com @ns1.msft.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 7450
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5a294c21d4ac66a3 (echoed)
;; QUESTION SECTION:
;microsoft.com.			IN	A

;; Query time: 269 msec
;; SERVER: 2620:0:30::53#53(2620:0:30::53)
;; WHEN: Wed Sep 28 07:05:34 EST 2016
;; MSG SIZE  rcvd: 54

% dig microsoft.com @ns1.msft.net +nocookie

; <<>> DiG 9.11.0rc2 <<>> microsoft.com @ns1.msft.net +nocookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26221
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;microsoft.com.			IN	A

;; ANSWER SECTION:
microsoft.com.		3600	IN	A	23.96.52.53
microsoft.com.		3600	IN	A	191.239.213.197
microsoft.com.		3600	IN	A	104.40.211.35
microsoft.com.		3600	IN	A	104.43.195.251
microsoft.com.		3600	IN	A	23.100.122.175

;; Query time: 425 msec
;; SERVER: 2620:0:30::53#53(2620:0:30::53)
;; WHEN: Wed Sep 28 07:05:39 EST 2016
;; MSG SIZE  rcvd: 122

% 


Mark

> - Jared
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]