Re: DNS deluge for x.p.ctrc.cc

2006-03-02 Thread Christopher L. Morrow
On Thu, 2 Mar 2006, Gadi Evron wrote: > apparently these amplification attacks have been going on for a while > now (i.e. "longer than we think"). yes, atleast 6 years... > > One good thing that may come out of this aside to dealing with badly > handled recursion is more attention to BCP38 now

Re: DNS deluge for x.p.ctrc.cc

2006-03-02 Thread Gadi Evron
Peter ([EMAIL PROTECTED]) wrote: You ever find out how to hack those shell accounts? Any chance you can let Gadi Evron know? :) At least some anonymous cowards do some interesting SMTP spoofing. As to the DNS thread going on over at the DNS-operations mailing list, apparently these amplifi

Re: DNS deluge for x.p.ctrc.cc

2006-03-02 Thread Peter
So I was catching up on old unread nanog mail and I came across YAIGP (Yet Another Insulting Gadi Post) Knowing that usenet archives are the great internet intelligence equalizer, I thought I'd pass along these humorous links. http://groups.google.com/groups/profile?enc_user=qybeTxcfIHYUZ

Re: DNS deluge for x.p.ctrc.cc

2006-02-27 Thread Rob Thomas
] Thanks and I am really impressed with everyone's reaction to this attack. ] Especially Rob Thomas, he really has a grip on it. Thanks muchly, Barrett, but the credit goes to Steve Gill. :) -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Barrett Lyon
I thought I would chime in quickly, one of my customers has been one of the targets of this attack. The x.p.ctrc.cc DNS server was shut down on the 15th, the response itself had a 36 TTL so that should be expired by now. On this end of it, the largest traffic spike we received was ar

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Paul Vixie
# hum... i subscribed to this dns-operations@ list some days back as what? #in2.oarc:amd64# bin/list_members dns-operations | grep -i manning #in2.oarc:amd64# bin/list_members dns-operations | grep -i ep.net #in2.oarc:amd64# # and have yet to see any postings. i guess i'm not worth

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Paul Vixie
i'd writ: # > speaking of which, f-root has about 35 nodes world wide, and about a third # > to a half of them aren't reachable by udp/161, and the blockage is not in # > our immediate neighbors but rather on transit paths. this is due to the # > cisco snmp vulnerability five years or so ago. f

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread bmanning
> i'm not following up on the dns related parts of this, since dns-operations@ > seems to be pulling some of the dns related load today and i don't want to > say the same thing in both places. see this URL for details: > > http://lists.oarci.net/pipermail/dns-operations/2006-February/author.html

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Paul Vixie
[EMAIL PROTECTED] ("Christopher L. Morrow") writes: > seems like global tcp/139|tcp/445 filters, or bogon filters... bits put > into configs 'now' and completely forgotten about 'tomorrow' :( speaking of which, f-root has about 35 nodes world wide, and about a third to a half of them aren't reac

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Christopher L. Morrow
On Sun, 26 Feb 2006, Joe Abley wrote: > As a temporary mitigation tool today, when the volume of legitimate, > large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets > might *sound* reasonable. However, we all know how permanent how are you certain that the udp/53 1500 byte packet

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Joe Abley
On 25-Feb-2006, at 03:41, [EMAIL PROTECTED] wrote: Limit UDP queries to 512 bytes. This greatly decreases the amplification affect, though it doesn't stop it. Expanding on this slightly, since I think this merits more discussion -- if there was widespread filtering of 53/udp pa

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Jon Lewis
On Sat, 25 Feb 2006, Rob Thomas wrote: As many say, you own your network, and are free to run it as you see fit. :) That said, please be aware that if you leave your name servers open to recursive query requests from any source, you WILL unwittingly help to amplify these attacks. It's the sa

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Paul Vixie
[EMAIL PROTECTED] (Paul Vixie) (hey, that's me!) writes: > ... (There are > about 50 folks on that list, which I'm calling "critical mass" for the > purpose of starting the first real discussion over there.) oops. 154 as of this morning, i guess i wasn

Re: DNS deluge for x.p.ctrc.cc

2006-02-26 Thread Paul Vixie
I've taken the liberty of following up on this thread on a different mailing list ([EMAIL PROTECTED]), since I'd like to explore it at a depth and breadth that would seem overly obsessive on a general purpose ops list like nanog. is the entry point if yo

Re: DNS deluge for x.p.ctrc.cc

2006-02-25 Thread Randy Bush
> As many say, you own your network, and are free to run it as you see > fit. :) That said, please be aware that if you leave your name > servers open to recursive query requests from any source, you WILL > unwittingly help to amplify these attacks. and there is discussion on treating this simi

Re: DNS deluge for x.p.ctrc.cc

2006-02-25 Thread Jon Lewis
On Fri, 24 Feb 2006, Chris Adams wrote: One thing to note: we've discovered that on some common DSL routers, the internal DNS caching server is on by default and answers requests on the outside IP address. IIRC some even do it when configured for NAT. So, even when you disable outside recursi

Re: DNS deluge for x.p.ctrc.cc

2006-02-25 Thread Joe Provo
On Sat, Feb 25, 2006 at 08:41:01AM +, [EMAIL PROTECTED] wrote: > robt wrote: [snip] > > Limit recursion to trusted netblocks and customers. Do not permit > > your name servers to provide recursion for the world. If you do, > > you will contribute to one of these attacks. > > r

Re: DNS deluge for x.p.ctrc.cc

2006-02-25 Thread Rob Thomas
Hey, Bill. As many say, you own your network, and are free to run it as you see fit. :) That said, please be aware that if you leave your name servers open to recursive query requests from any source, you WILL unwittingly help to amplify these attacks. It's the same as ICMP directed broadcast

Re: DNS deluge for x.p.ctrc.cc

2006-02-25 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, Rob Thomas w rites: > >Limit UDP queries to 512 bytes. This greatly decreases the >amplification affect, though it doesn't stop it. > Unfortunately, the intention of the DNS developers is just the opposite. Things like DNSSEC require larger packet sizes; in fac

Re: DNS deluge for x.p.ctrc.cc

2006-02-25 Thread Nicholas Suan
[EMAIL PROTECTED] wrote: Limit recursion to trusted netblocks and customers. Do not permit your name servers to provide recursion for the world. If you do, you will contribute to one of these attacks. I don't really think that preventing every Tom, Dick, and Harry from usi

Re: DNS deluge for x.p.ctrc.cc

2006-02-25 Thread bmanning
> ] other cctld servers have seen what are effectively ddos. rob thomas > ] seems to have the most clue on this, so i hope this troll will entice > ] him to speak. > > Did someone say "troll?" :) > > Yes, this is a real problem. These attacks have exceeded several > gigabits per second in siz

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Chris Adams
Once upon a time, Rob Thomas <[EMAIL PROTECTED]> said: > Limit recursion to trusted netblocks and customers. Do not permit > your name servers to provide recursion for the world. If you do, > you will contribute to one of these attacks. One thing to note: we've discovered that on some common DS

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Stephen Stuart
> Note we have our own Secure BIND Template which will help on the > BIND side of life. > > > > If you need assistance with any of this, have endured one of these > attacks, or have any other questions, please don't hesitate to ping >

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Rob Thomas
Hi, NANOGers. ] other cctld servers have seen what are effectively ddos. rob thomas ] seems to have the most clue on this, so i hope this troll will entice ] him to speak. Did someone say "troll?" :) Yes, this is a real problem. These attacks have exceeded several gigabits per second in size

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread brett watson
On Feb 24, 2006, at 11:47 AM, Randy Bush wrote: this would be a fine thread to discuss on dns-operations, which a bunch of you here have already joined. http://lists.oarci.net/mailman/listinfo/ i joined but have never seen a message on that list. and this discussion seems useful. maybe we

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Gadi Evron
Randy Bush wrote: this would be a fine thread to discuss on dns-operations, which a bunch of you here have already joined. http://lists.oarci.net/mailman/listinfo/ i joined but have never seen a message on that list. and this discussion seems useful. maybe we should not do a gadi? randy

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Randy Bush
> this would be a fine thread to discuss on dns-operations, which a > bunch of you here have already joined. > http://lists.oarci.net/mailman/listinfo/ i joined but have never seen a message on that list. and this discussion seems useful. maybe we should not do a gadi? randy

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread brett watson
On Feb 24, 2006, at 11:30 AM, Ejay Hire wrote: It may be coincidental, but TXT and ANY queries for this zone were the ones used in the multi-gigabit reflected dns DDOS against us earlier this month. this would be a fine thread to discuss on dns-operations, which a bunch of you here have al

RE: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Ejay Hire
Of Estes, Paul > Sent: Friday, February 24, 2006 11:26 AM > To: nanog@merit.edu > Subject: DNS deluge for x.p.ctrc.cc > > We have recently noticed a deluge of DNS requests for "ANY > ANY" records of x.p.ctrc.cc. The requests are coming from > thousands of sour

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Gadi Evron
Estes, Paul wrote: Actually, what we are seeing does not appear to be an amplification attack. It appears to be a request flood from infected machines. We have anti-spoofing filters on our upstream connections as well as our subscriber's access lines. The source addresses are not spoofed. They

RE: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Estes, Paul
appears to be offline. --Paul -Original Message- From: william(at)elan.net [mailto:[EMAIL PROTECTED] Sent: Friday, February 24, 2006 9:47 AM To: Estes, Paul Cc: nanog@merit.edu Subject: Re: DNS deluge for x.p.ctrc.cc On Fri, 24 Feb 2006, Estes, Paul wrote: > We have recently notice

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread william(at)elan.net
On Fri, 24 Feb 2006, Estes, Paul wrote: We have recently noticed a deluge of DNS requests for "ANY ANY" records They are trying to abuse similar holes that caused most of us add "no ip redirects" and "no ip directed broadcast" to routers, but this time its about dns of x.p.ctrc.cc. The req

Re: DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Randy Bush
other cctld servers have seen what are effectively ddos. rob thomas seems to have the most clue on this, so i hope this troll will entice him to speak. randy

DNS deluge for x.p.ctrc.cc

2006-02-24 Thread Estes, Paul
We have recently noticed a deluge of DNS requests for “ANY ANY” records of x.p.ctrc.cc. The requests are coming from thousands of sources, mostly our own customers. There are currently no records for x.p.ctrc.cc, or even for p.ctrc.cc. A google search for x.p.ctrc.cc comes up with only 2 hi