isprime DOS in progress

David Andersen dga at cs.cmu.edu
Sun Jan 25 11:23:27 CST 2009


I'm not sure you're entirely out of the water yet:

17:13:45.680944 76.9.16.171.53868 > XXXXXXXX.53:  58451+ NS? . (17)
17:13:45.681251 XXXXXXXX.53 > 76.9.16.171.53868:  58451 Refused- 0/0/0  
(17)

CIDR:       76.9.0.0/19
NetName:    ISPRIME-ARIN-3

In addition to the one that Brian Keefer mentioned a few days ago  
(206.71.158.30).

But on that subject, I figured I'd toss in a (sad) anecdote about  
security and upgrades.  I'd upgraded this nameserver to bind-9 some  
time ago, during a bit of a security panic.  And in the process, I  
screwed it up - I'd updated the machine itself, but had failed to  
propagate the changes to the master that sends updates to all of the  
servers.  The obvious thing happened:  after a while, this nameserver  
pulled its updates from the master, and downgraded to bind-8 again,  
which we didn't notice until I saw it spitting full cached NS  
responses to isprime hosts.  Human error strikes again.  Apologies for  
letting my host be an amplifier.

   -Dave


On Jan 23, 2009, at 1:11 PM, Phil Rosenthal wrote:

> Just a friendly notice, the attack against  
> 66.230.128.15/66.230.160.1 seems to have stopped for now.
>
> -Phil
> On Jan 22, 2009, at 6:01 AM, Bjørn Mork wrote:
>
>> Graeme Fowler <graeme at graemef.net> writes:
>>
>>> I've been seeing a lot of noise from the latter two addresses after
>>> switching on query logging (and finishing an application of Team  
>>> Cymru's
>>> excellent template) so I decided to DROP traffic from the addresses
>>> (with source port != 53) at the hosts in question.
>>>
>>> Well, blow me down if they didn't completely stop talking to me.  
>>> Four
>>> dropped packets each, and they've gone away.
>>>
>>> Something smells "not quite right" here - if the traffic is  
>>> spoofed, and
>>> my "Refused" responses have been flying right back to the *real* IP
>>> addresses, how are the spoofing hosts to know that I'm dropping the
>>> traffic?
>>
>> Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
>> traffic from other sources too?  Looks like some of the other source
>> addresses are controlled by the DOSers. Possibly used to detect  
>> filters?
>>
>> These clients may look similar to the DOS attack, but there are  
>> subtle
>> differences:
>>
>> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:  
>> view external: query (cache) './NS/IN' denied
>> Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679:  
>> view external: query (cache) './NS/IN' denied
>>
>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:  
>> view external: query (cache) './NS/IN' denied
>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:  
>> view external: query (cache) './NS/IN' denied
>>
>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:  
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:  
>> view external: query (cache) './NS/IN' denied
>>
>>
>> Notice the pattern:
>> 3 probes every 38 minutes
>> Each probe from the same source port
>> Source port increases slowly and steadily
>>
>> This looks like some application actually waiting for a response.   
>> The
>> slow source port change is probably an indication that this client  
>> only
>> tests a small number of DNS servers.  I guess that this client is  
>> either
>> one of the many bots used to send the spoofed requests, or maybe a  
>> bot
>> not allowed to spoof its source and therefore used for other
>> purposes. In any case, I assume that other DNS servers may see such
>> control sessions coming from other addresses.
>>
>> These 3 clients started probing my DNS server almost simultaneously  
>> on January 8th:
>>
>>
>> Jan  8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:36:30 canardo named[26496]: client 66.238.93.161#11299:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:  
>> view external: query (cache) './NS/IN' denied
>> Jan  8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:  
>> view external: query (cache) './NS/IN' denied
>>
>> Maybe preparing for the attack on ISPrime?  I didn't start receiving
>> spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
>>
>>
>> I just tried filtering the probing addresses.  This made the probing
>> stop immediately after dropping a set of 3 probes.  But the spoofed
>> requests continuted at the same rate as before, so this does not  
>> support
>> my theory.
>>
>> However, I believe it would be too much of a coincidence if there  
>> isn't
>> some connection between the probing and the DOS attack.  It would be
>> interesting to hear if others see similar probing.
>>
>>
>>
>> Bjørn
>>
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090125/43133054/attachment.bin>


More information about the NANOG mailing list