pitter patter on the keyboard

Someone from ISC contacted me a couple days ago regarding the ongoing DRDoS attack one of my client’s DNS servers has been involved in for months, see the comments section of ISC.org DRDoS Update 2: Problems with .nl Netherlands TLD. I was quite surprised to hear from them and now wonder if perhaps the more responsible thing to do would have been to contact them from the outset. At any rate I dropped the netfilter rules very briefly this morning to obtain a fresh sample of packets. Naturally, my client was not entirely thrilled with the idea. Here’s the nice letter I sent them:

Hello,

I was pleasantly surprised to see someone from ISC asking for
information pertaining to an ongoing DRDoS attack against one of my
client’s servers at
http://foxpa.ws/2011/01/03/isc-org-drdos-update-2-problems-with-nl-netherlands-tld/

I will be happy to provide you with what I know, sample packet data
and cooperation in implementing and testing suggestions.

I think I am looking at a (D)RDoS that is using spoofed ARP-based ANY
queries for isc.org with the intent to obfuscate its source and
amplify its payload. The following series of links more or less
documents the evolution of my theory and how I have tried to contain
the attack:

http://foxpa.ws/2010/07/20/making-the-case-for-access-controlled-recursive-lookups-with-bind/
http://foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/
http://foxpa.ws/2010/11/17/isc-org-any-request-drdos-update/
http://foxpa.ws/2011/01/03/isc-org-drdos-update-2-problems-with-nl-netherlands-tld/

Please find attached a libpcap formatted file with fresh packets
sampled this morning (the filter was adjusted to only record ANY
transactions). Please remove any identifying marks from the packets if
you distribute them.

It may be noteworthy that the bursts of traffic seem to be focused on
the daytime (EST) hours and generally dwindle down at night.

Hopefully this has helped, please do not hesitate to get in touch with
me if I can be of further service.

Cheers,

K

It would be fantastic if the whiz kids over there could come up with a better idea of dealing with this! Fingers crossed. =)

Wireshark is a powerful and popular packet capture and analysis suite that runs on Windows and most flavours of UNIX. Often one finds one’s self in need of its GUI’s abilities on remote, headless servers without X windows (and who wants to install X on a server if they don’t have to?). One has three options: use a text/ncurses based packet capture system like ettercap to analyze the traffic on the server itself, save packet capture files and move them to your Wireshark host or pipe the output from tshark – Wireshark’s text interface – to your client in real-time. The last option suits me best; I don’t want to have to learn two packet capture suites if I can only use one and it is often useful to see the packets fly by as they come.

To compile Wireshark without the GUI, and therefore all of its X windows dependencies, on Gentoo:

# USE=”-gtk” emerge wireshark

Or disable the GTK use flag in your /etc/make.conf.

The next step is to establish passwordless root ssh access to the target machine. This should only be temporary as it is best practice to disallow any form of remote login for the root user. Please read my previous article, Passwordless or Single Password SSH with Key Exchange but be sure to use a blank passphrase for your key and disregard the part about restricting root access. Once this has been completed and you are able to log in to the target server by simply typing ssh hostname you are ready to begin your packet capture.

On the client which runs the GUI version of Wireshark, open up a shell as root and run the following:

wireshark -k -i < ( ssh -l root xxx.xxx.xxx.xxx /usr/bin/tshark -i eth0 -w - )

Be sure to change the path to tshark if this does not reflect your installation. Adjust the interface (-i flag) to match your target.