R: a few matters about security and consistency
Arie Kuipers ariek at kpnqwest.net
Thu Jul 6 10:32:40 CEST 2000
Please discuss this somewhere else :-) Alessandro.Pelosi at swisscom-italy.com wrote: > We experienced the same problem... one of our customers was attacked > properly in this way.... > the only way to stop it was to add an iproute on our gateway royter that > thashed in the null0 all the traffic directed to the victim server, and then > renumber the other services. > > -----Messaggio originale----- > Da: Mark Lastdrager [mailto:mark at pine.nl] > Inviato: mercoledl 5 luglio 2000 22.53 > A: lir-wg at ripe.net > Cc: cert at pine.nl > Oggetto: a few matters about security and consistency > > Hi, > > There are two matters I want to discuss, which are related from my point > of view. > > Yesterday, ons of our hosts was attacked (Denial of Service). The attacker > was using the DNS DOS described in > http://www.ciac.org/ciac/bulletins/j-063.shtml (AUSCERT AL-1999.004) for > this. > > The used attack in short: Small DNS queries are sent from the attacker > to each of the DNS servers. These queries contain the spoofed IP address > of the target. The DNS servers respond to the small query with a large > response. These responses are routed to the target, causing link > congestion and possible denial of Internet connectivity. > > This morning, we took our tcpdump logs of the attacks, and built a script > which queried the Ripe database for the admins of the abused > ('man-in-the-middle') networks. We got almost 900 unique email adresses > out of this, to whom we sent a clear email describing what happened and > asking for any logs or other usable information to find out who the > attacker is. We we astonished how many people reacted with usefull > information, we are still investigating right now. > > It pointed out we were not the only one attacked, it now looks like the > attacker (or attackers ofcourse) is abusing most of the 194.x network to > amplify the DNS requests pointing at a lot of Dutch hosts and even some > in the USA. > > Ok, that was the scary part ;-) If you operate 1 or more DNS servers, > please read the AUSCERT document and apply the workarounds they mention > there (only allow your nameserver(s) to answer to queries from trusted > hosts and/or zones you are authoritive for). If will really help from > people abusing your network and filling up your pipe(s). > > Matter 1: > > What scared me was the great amount of bounced mail we got back from the > 900 mails we sent. I think at least 10% did not exist. Besides that we got > a lot of replies like 'hey don't bother me, I don't work there > anymore'. Why doesn't RIPE test periodically if email adresses still work? > > Matter 2: > > Like I said, we got a lot of useful replies and they all more or less > contained the same information. People had full, non-working internet > links for days because of the attacks and were very happy that we pointed > them to the 'Auscert workaround' because now they've closed their DNS'es > the traffic (and business!) goes back to normal. Because of the info we > got, we are -while I write this- trying to trace back to the origin of the > spoofed packets. > > I think it would be very helpful if there was a mailinglist where European > operators could discuss this kind of incidents, like the USA people do at > the Securityfocus mailinglist > (http://www.securityfocus.com/templates/archive.pike?list=75). I think the > introduction at http://www.securityfocus.com/forums/incidents/intro.html > would describe the use of such a list very well. Incidents like this DOS > which affect a lot of European networks could be stopped much quicker, and > if you can contact your fellow operators you don't have to waste expensive > time trying to track down those stupid scriptkids (believe me.. it takes a > lot of time ;-)). Ofcourse things like virii, talk about used exploits > etc. are on-topic and interesting too. > > Like I said: time is money, so we set up the list > euro-incidents at security.nl already. Anybody can subscribe at > http://www.security.nl/mailman/listinfo/euro-incidents. > > Thanks for your time, > > Mark Lastdrager > Pine Internet > > -- > email: mark at lastdrager.nl :: ML1400-RIPE :: tel. +31-70-3111010 > http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011 > PGP key ID 92BB81D1 :: Dutch security news @ http://security.nl > Today's excuse: We only support a 28000 bps connection. -- __ ----- / ___ ___ / ) ___ ___ ____ ---- /___/ /___/ / / / / | / /___/ /___ / --- / \ / / / (__ \ |/\/ /___ ___/ / -- Arie Kuipers, IP Engineer -- KPNQwest N.V. - IP NOC (formerly EUnet) -- Singel 540, 1017 AZ Amsterdam, NL -- Phone: +31 (0)20 4210865; Fax: +31 (0)20 6224657 -- Email: ariek at kpnqwest.net
[ lir-wg Archives ]