<snip>
The message called it Operation Global Blackout, and rallied Anonymous
supporters worldwide to attack the Domain Name System, which converts
human-friendly domain names like google.com into numeric addresses
that are more useful for computers.
It declared when the attack would be carried out: March 31. And it
detailed exactly how: by bombarding the Domain Name System with junk
traffic in an effort to overwhelm it altogether.
<snip>
We already have this type of attack in Bucharest/Romania since last Friday. The targets where IP's of some local webhosters, but at one moment we event saw IP's from Go Daddy.
Tcpdump will show something like:
11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org. (37)
11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY? isc.org. (37)
11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY? isc.org. (37)
After one week the attack has been mostly mitigated, and the remaining open resolvers are probably windows servers. Apparently in bill'g world is impossible to restrict the recursion.
"Those preparations turned into a fast-track, multimillion-dollar global effort
to beef up the Domain Name System. They offer a glimpse into the largely
unknown forces that keep the Internet running in the face of unpredictable,
potentially devastating threats."
Was there *really* that much of a reaction to *this* threat, over and above
the continual 24x7x365 ongoing effort to add resiliency and mitigation to the DNS?
We already have this type of attack in Bucharest/Romania since last
Friday. The targets where IP's of some local webhosters, but at one
moment we event saw IP's from Go Daddy.
Tcpdump will show something like:
11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org.
(37)
11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY?
isc.org. (37)
11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY?
isc.org. (37)
After one week the attack has been mostly mitigated, and the remaining
open resolvers are probably windows servers. Apparently in bill'g world
is impossible to restrict the recursion.
This is a spoofed source amplification/reflection attack, and is really
going on all the time. It has nothing to do with any possible Anonymous
attack on the root name servers.
ANY queries for isc.org and ripe.net are popular (ietf.org has also been
seen), since they give a potentially large amplification factor.
FWIW, saw ANY queries at a rate of 10 per second from one IP to a DNS server today, all for isc.org. Saw a few hundred more for tmss.trendmicro.com from a different IP. Other popular names include plus.google.com, maps.google.com, and play.google.com. (all denied by that particular server, which is patched against such).
Anyone know if there's a project to track popular amplification names?
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network.
All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with "no such name".
The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate.
Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique?
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network.
All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with "no such name".
The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate.
Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique?
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network.
All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with "no such name".
The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate.
Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique?
If you are using broadband connection from the brazilian incumbent
operator (Oi), you might indeed being redirected to bogus servers.
They are very fond of "monetizing" techniques with their user base,
using either DNS or all the traffic for that matter (Phorm).
