=^.^=

ISC Contacts L'il Ol' Me!

karma

Someone from ISC contacted me a couple days ago regarding the ongoing DRDoS attack one of my client's DNS servers has been involved in for months, see the comments section of ISC.org DRDoS Update 2: Problems with .nl Netherlands TLD. I was quite surprised to hear from them and now wonder if perhaps the more responsible thing to do would have been to contact them from the outset. At any rate I dropped the netfilter rules very briefly this morning to obtain a fresh sample of packets. Naturally, my client was not entirely thrilled with the idea. Here's the nice letter I sent them:


Hello,

I was pleasantly surprised to see someone from ISC asking for
information pertaining to an ongoing DRDoS attack against one of my
client's servers at
http://foxpa.ws/2011/01/03/isc-org-drdos-update-2-problems-with-nl-netherlands-tld/

I will be happy to provide you with what I know, sample packet data
and cooperation in implementing and testing suggestions.

I think I am looking at a (D)RDoS that is using spoofed ARP-based ANY
queries for isc.org with the intent to obfuscate its source and
amplify its payload. The following series of links more or less
documents the evolution of my theory and how I have tried to contain
the attack:

http://foxpa.ws/2010/07/20/making-the-case-for-access-controlled-recursive-lookups-with-bind/
http://foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/
http://foxpa.ws/2010/11/17/isc-org-any-request-drdos-update/
http://foxpa.ws/2011/01/03/isc-org-drdos-update-2-problems-with-nl-netherlands-tld/

Please find attached a libpcap formatted file with fresh packets
sampled this morning (the filter was adjusted to only record ANY
transactions). Please remove any identifying marks from the packets if
you distribute them.

It may be noteworthy that the bursts of traffic seem to be focused on
the daytime (EST) hours and generally dwindle down at night.

Hopefully this has helped, please do not hesitate to get in touch with
me if I can be of further service.

Cheers,

K


It would be fantastic if the whiz kids over there could come up with a better idea of dealing with this! Fingers crossed. =)

Comments

• John

Did you get any feedback from ISC? We are also trying to get rid of that problem...

Thanks.

karma

I was mostly told what I had already deduced. Unfortunately I have not yet had the time to pursue this matter further but will be sure to share any news here.

Michel Graff

Some of us might even find your blog. :)

btw, none of the links in the main body work. I suspect /tag/ needs to be removed from them?

--Michael

karma

Thanks for pointing that out! It seems when you browse by tag you see the whole articles. The links will work file if you view the articles head-on or through the main page

http://foxpa.ws/
http://foxpa.ws/2011/01/11/isc-contacts-lil-ol-me/

karma

Oops! I thought the problem was in the template but it turns out it was an overzealous wysiwyg editor. The links have been fixed, thanks again!