Re: R: a few matters about security and consistency
- Date: Thu, 06 Jul 2000 10:32:40 +0200
- Organization: KPNQwest
Please discuss this somewhere else :-)
Alessandro.Pelosi@localhost wrote:
> We experienced the same problem... one of our customers was attacked
> properly in this way....
> the only way to stop it was to add an iproute on our gateway royter that
> thashed in the null0 all the traffic directed to the victim server, and then
> renumber the other services.
>
> -----Messaggio originale-----
> Da: Mark Lastdrager [
]
> Inviato: mercoledl 5 luglio 2000 22.53
> A: lir-wg@localhost
> Cc: cert@localhost
> Oggetto: a few matters about security and consistency
>
> Hi,
>
> There are two matters I want to discuss, which are related from my point
> of view.
>
> Yesterday, ons of our hosts was attacked (Denial of Service). The attacker
> was using the DNS DOS described in
>
http://www.ciac.org/ciac/bulletins/j-063.shtml (AUSCERT AL-1999.004) for
> this.
>
> The used attack in short: Small DNS queries are sent from the attacker
> to each of the DNS servers. These queries contain the spoofed IP address
> of the target. The DNS servers respond to the small query with a large
> response. These responses are routed to the target, causing link
> congestion and possible denial of Internet connectivity.
>
> This morning, we took our tcpdump logs of the attacks, and built a script
> which queried the Ripe database for the admins of the abused
> ('man-in-the-middle') networks. We got almost 900 unique email adresses
> out of this, to whom we sent a clear email describing what happened and
> asking for any logs or other usable information to find out who the
> attacker is. We we astonished how many people reacted with usefull
> information, we are still investigating right now.
>
> It pointed out we were not the only one attacked, it now looks like the
> attacker (or attackers ofcourse) is abusing most of the 194.x network to
> amplify the DNS requests pointing at a lot of Dutch hosts and even some
> in the USA.
>
> Ok, that was the scary part ;-) If you operate 1 or more DNS servers,
> please read the AUSCERT document and apply the workarounds they mention
> there (only allow your nameserver(s) to answer to queries from trusted
> hosts and/or zones you are authoritive for). If will really help from
> people abusing your network and filling up your pipe(s).
>
> Matter 1:
>
> What scared me was the great amount of bounced mail we got back from the
> 900 mails we sent. I think at least 10% did not exist. Besides that we got
> a lot of replies like 'hey don't bother me, I don't work there
> anymore'. Why doesn't RIPE test periodically if email adresses still work?
>
> Matter 2:
>
> Like I said, we got a lot of useful replies and they all more or less
> contained the same information. People had full, non-working internet
> links for days because of the attacks and were very happy that we pointed
> them to the 'Auscert workaround' because now they've closed their DNS'es
> the traffic (and business!) goes back to normal. Because of the info we
> got, we are -while I write this- trying to trace back to the origin of the
> spoofed packets.
>
> I think it would be very helpful if there was a mailinglist where European
> operators could discuss this kind of incidents, like the USA people do at
> the Securityfocus mailinglist
> (
http://www.securityfocus.com/templates/archive.pike?list=75). I think the
> introduction at
http://www.securityfocus.com/forums/incidents/intro.html
> would describe the use of such a list very well. Incidents like this DOS
> which affect a lot of European networks could be stopped much quicker, and
> if you can contact your fellow operators you don't have to waste expensive
> time trying to track down those stupid scriptkids (believe me.. it takes a
> lot of time ;-)). Ofcourse things like virii, talk about used exploits
> etc. are on-topic and interesting too.
>
> Like I said: time is money, so we set up the list
> euro-incidents@localhost already. Anybody can subscribe at
>
http://www.security.nl/mailman/listinfo/euro-incidents.
>
> Thanks for your time,
>
> Mark Lastdrager
> Pine Internet
>
> --
> email: mark@localhost :: ML1400-RIPE :: tel. +31-70-3111010
>
http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011
> PGP key ID 92BB81D1 :: Dutch security news @
http://security.nl
> Today's excuse: We only support a 28000 bps connection.
-- __
----- / ___ ___ / ) ___ ___ ____
---- /___/ /___/ / / / / | / /___/ /___ /
--- / \ / / / (__ \ |/\/ /___ ___/ /
-- Arie Kuipers, IP Engineer
-- KPNQwest N.V. - IP NOC (formerly EUnet)
-- Singel 540, 1017 AZ Amsterdam, NL
-- Phone: +31 (0)20 4210865; Fax: +31 (0)20 6224657
-- Email: ariek@localhost
