R: a few matters about security and consistency
Alessandro.Pelosi at swisscom-italy.com
Thu Jul 6 10:23:47 CEST 2000
We experienced the same problem... one of our customers was attacked properly in this way.... the only way to stop it was to add an iproute on our gateway royter that thashed in the null0 all the traffic directed to the victim server, and then renumber the other services. -----Messaggio originale----- Da: Mark Lastdrager [mailto:mark at pine.nl] Inviato: mercoledì 5 luglio 2000 22.53 A: lir-wg at ripe.net Cc: cert at pine.nl Oggetto: a few matters about security and consistency Hi, There are two matters I want to discuss, which are related from my point of view. Yesterday, ons of our hosts was attacked (Denial of Service). The attacker was using the DNS DOS described in http://www.ciac.org/ciac/bulletins/j-063.shtml (AUSCERT AL-1999.004) for this. The used attack in short: Small DNS queries are sent from the attacker to each of the DNS servers. These queries contain the spoofed IP address of the target. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity. This morning, we took our tcpdump logs of the attacks, and built a script which queried the Ripe database for the admins of the abused ('man-in-the-middle') networks. We got almost 900 unique email adresses out of this, to whom we sent a clear email describing what happened and asking for any logs or other usable information to find out who the attacker is. We we astonished how many people reacted with usefull information, we are still investigating right now. It pointed out we were not the only one attacked, it now looks like the attacker (or attackers ofcourse) is abusing most of the 194.x network to amplify the DNS requests pointing at a lot of Dutch hosts and even some in the USA. Ok, that was the scary part ;-) If you operate 1 or more DNS servers, please read the AUSCERT document and apply the workarounds they mention there (only allow your nameserver(s) to answer to queries from trusted hosts and/or zones you are authoritive for). If will really help from people abusing your network and filling up your pipe(s). Matter 1: What scared me was the great amount of bounced mail we got back from the 900 mails we sent. I think at least 10% did not exist. Besides that we got a lot of replies like 'hey don't bother me, I don't work there anymore'. Why doesn't RIPE test periodically if email adresses still work? Matter 2: Like I said, we got a lot of useful replies and they all more or less contained the same information. People had full, non-working internet links for days because of the attacks and were very happy that we pointed them to the 'Auscert workaround' because now they've closed their DNS'es the traffic (and business!) goes back to normal. Because of the info we got, we are -while I write this- trying to trace back to the origin of the spoofed packets. I think it would be very helpful if there was a mailinglist where European operators could discuss this kind of incidents, like the USA people do at the Securityfocus mailinglist (http://www.securityfocus.com/templates/archive.pike?list=75). I think the introduction at http://www.securityfocus.com/forums/incidents/intro.html would describe the use of such a list very well. Incidents like this DOS which affect a lot of European networks could be stopped much quicker, and if you can contact your fellow operators you don't have to waste expensive time trying to track down those stupid scriptkids (believe me.. it takes a lot of time ;-)). Ofcourse things like virii, talk about used exploits etc. are on-topic and interesting too. Like I said: time is money, so we set up the list euro-incidents at security.nl already. Anybody can subscribe at http://www.security.nl/mailman/listinfo/euro-incidents. Thanks for your time, Mark Lastdrager Pine Internet -- email: mark at lastdrager.nl :: ML1400-RIPE :: tel. +31-70-3111010 http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011 PGP key ID 92BB81D1 :: Dutch security news @ http://security.nl Today's excuse: We only support a 28000 bps connection.
[ lir-wg Archive ]