<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: DNS DOS increasing?</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4912.300" name=GENERATOR></HEAD>
<BODY>
<DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff size=2>I've
seen this behavior before, also. I thought it was interesting that two
servers side by side recieving the same attacks/ratios only serving DNS
(BIND 8.2.x*) and acted in this manner:</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2> Redhat 6.2 w/dual proc 833
512/ram started "loosing" RR records</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2> Solaris 7 on a Sparc 10 (hehe)
w/256 rebooted and served the correct
records</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff size=2>I'm
curious to see how other OSes react to these attacks. My guess is that BSD
systems (such as FreeBSD and BSDi) will react similarly to the Solaris based on
my past experience with these systems. So I am curious too see if the RR
record "loss" is an OS specific behaviour, especially since Redhat has priors in
misplacing information in earlier versions of the OS.</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff size=2>* I
say BIND 8.2.x, because this continued to occur through the various BIND 8.2
releases.</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002>
<P><FONT size=2>Best regards,<BR><BR>Karyn Ulriksen<BR>Valkaryn Internet
Group<BR>URL: <A target=_blank
href="http://www.valkaryn.net/">http://www.valkaryn.net</A><BR>email:
valkaryn@valkaryn.net<BR>===========================================<BR>"Decisions
should be made in the space of seven breaths."<BR></FONT></P></SPAN></DIV></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Karyn Ulriksen
[mailto:valkaryn@valkaryn.net]<BR><B>Sent:</B> Monday, January 21, 2002 8:39
AM<BR><B>To:</B> James Smith<BR><B>Subject:</B> RE: DNS DOS
increasing?<BR><BR></FONT></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff size=2>I've
seen this behavior before, also. I thought it was interesting that two
servers side by side recieving the same attacks/ratios only serving DNS
(BIND 8.2.x*) and acted in
this manner:</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2> Redhat 6.2 w/dual proc 833
512/ram started "loosing" RR records</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2> Solaris 7 on a Sparc 10
(hehe) w/256 rebooted and served the correct
records</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff size=2>I'm
curious to see how other OSes react to these attacks. My guess is that
BSD systems (such as FreeBSD and BSDi) will react similarly to the Solaris
based on my past experience with these systems. So I am curious too see
if the RR record "loss" is an OS specific behaviour, especially since Redhat
has priors in misplacing information in earlier versions of the
OS.</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff size=2>* I
say BIND 8.2.x, because this continued to occur through the various BIND 8.2
releases.</FONT></SPAN></DIV>
<DIV><SPAN class=837332716-21012002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=837332716-21012002>
<P><FONT size=2>Best regards,<BR><BR>Karyn Ulriksen<BR>Valkaryn Internet
Group<BR>URL: <A target=_blank
href="http://www.valkaryn.net/">http://www.valkaryn.net</A><BR>email:
valkaryn@valkaryn.net<BR>===========================================<BR>"Decisions
should be made in the space of seven breaths."<BR></FONT></P></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> owner-nanog@merit.edu
[mailto:owner-nanog@merit.edu]<B>On Behalf Of </B>James
Smith<BR><B>Sent:</B> Monday, January 21, 2002 7:08 AM<BR><B>To:</B>
nanog@merit.edu<BR><B>Subject:</B> RE: DNS DOS
increasing?<BR><BR></FONT></DIV>
<P><FONT size=2> I've seen DOS-type behavior where a client will query
a resolver for a</FONT> <BR><FONT size=2> name that doesn't exist, and
the client does not accept the answer that</FONT> <BR><FONT size=2> the
name does not exist and immediately sends another query, regardless</FONT>
<BR><FONT size=2> of whether or not the resolver declared itself
authoritative for the</FONT> <BR><FONT size=2> negative answer.</FONT>
</P>
<P><FONT size=2>-- </FONT><BR><FONT size=2>/ak</FONT> </P>
<P><FONT size=2> Get ready for more DOS-like behavior as systems get
deployed that have 10 second TTLs in the DNS. These systems are used to
provide multi-isp redundancy by pinging each upstreams router, and when a
ping fails, start giving out a dns response using the other ISP IP range.
Same FQDN, new IP.</FONT></P>
<P><FONT size=2> This of course is driven by the desire for redundancy
in small businesses who make the Internet an integral part of their business
plan. Either they can't get PI space and don't have (or don't want to spend)
the $$$ to do BGP, or are unable to convince their upstream to cut a hole in
their CIDR block and allow a 2nd party to announce that chunk (which for
some is as small as /28).</FONT></P>
<P><FONT size=2>James H. Smith II NNCDS NNCSE</FONT> <BR><FONT
size=2>Systems Engineer</FONT> <BR><FONT size=2>The Presidio
Corporation</FONT> </P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>