DNS Attacks

http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html

Quoting the FBI:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

Solve said problem easily by destination NATing those IPs on 53/UDP/TCP to your own recursive servers, or dump them on Google at 8.8.8.8 if you're so inclined. Extra bonus result: NAT logs will show who needs a pleasant email from customer service.

Or you could just let 'em[1] suffer, BoFH-style.

jms

[1] "'em" in this case is "your customer service reps" who will see a 'higher than normal call volume' should the FBI's warning mean anything.

Joel M Snyder <Joel.Snyder@Opus1.COM> wrote;

> FBI will shutdown the Internet on March 8

Quoting the FBI:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

Solve said problem easily by destination NATing those IPs on 53/UDP/TCP
to your own recursive servers, or dump them on Google at 8.8.8.8 if
you're so inclined. Extra bonus result: NAT logs will show who needs a
pleasant email from customer service.

Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
query -- returns the address of a dedicated machine on your network set up
especially for this purpose. This special-purpose machine returns a
customized 'error message' for any/all 'standard' protocols -- one that
states that they are infected with the particular malware, that none of
their attempts at intnernet access will work until they get that malware
removed, that they need to contact a 'computer repair' business ("See the
Yellow pages") to get the problem dealt with, -and- that assistance with
such malware removal is -not- part your 'support' services. Lastly, add
a statement that any calls to -your- support staff will cause the customer's
account a fee of $xx -- just for repeating the above. Th special-purpose
machine logs all inbound connection attempts -- timestamp, source IP, and
protocol -- for matching against customer accounts, providing a provable
audit trail to support the 'penalty' charge, when users -do- call 'support'.
Optionally, you refer them to a 'paid consulting' division of your operation,
which provides additional services on a time-and-materials basis.

This approach is -not- particularly 'customer-friendly' in the short term,
but it -will- have long-term benefits for the customer -- they _will_ have
learned something about the risks of not 'practicing safe hex', and their
machine(s) will (well, _probably_) be safer/more secure in the future. Thus
reducing future problems for both the customer and the provider support desk.

What happens when the client sends a POST from a cached page on the end
user's machine? E.g. if they post login credentials. Of course, they'll get
the error page, but then you have confidential data in your logs and now
you have to protect highly confidential info, at least if you're in europe.

It is possible to configure the web server not to log POSTed info.

Per default most webservers (Apache, nginx, etc) won't log POST
variables, GET variables will be logged (as they are part of the query)
but those should not contain any PII.

Greets,
Jeroen

Right. They shouldn't. But the security mailing lists have lots of
counter-examples from clue-challenged web developers.. Plan your logging
strategy accordingly (is there any safe answer here other than "disable
logging" or "log only timestamp and source IP"?)

From ken.gilmour@gmail.com Sun Feb 19 05:04:39 2012
Date: Sun, 19 Feb 2012 11:59:37 +0100
Subject: Re: DNS Attacks
From: Ken Gilmour <ken.gilmour@gmail.com>
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
Cc: nanog@nanog.org

>
> Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
> query -- returns the address of a dedicated machine on your network set up
> especially for this purpose.

What happens when the client sends a POST from a cached page on the end
user's machine? E.g. if they post login credentials. Of course, they'll get
the error page, but then you have confidential data in your logs and now
you have to protect highly confidential info, at least if you're in europe.

*WHAT* 'confidential data' in which logs? <grin>

The aforementioned dedicated machine isn't a real web-server, or a real
'any other' server -- it is solely a special-purpose application machine,
When you connect to it on say, port 80, it doesn't log anything from the
port -- it just logs (1) the timestamp, and (2) the connecting IP address
(and _nothing_ else); then it copies out a previously prepared static file,
and disconnects.

You build a separae app that reads that logfile, matches IP ddress/timestamp
to a customer account, and feeds a message into the 'customer records' system
that this customer -has- been notified of this problem, and when, in case
they call for support.

If one is 'really' paranoid, the 'logfile' can be implemented as a 'pipe'
between the processes, so that the data never hits disk in the first place.

I've got proof-of-concept code for a single program that handles HTTP (port
80), SMTP (port 25 and port 587), POP3 (port 110), IMAP2 & 4 (port 143), IMAP3
(port 220), TELNET (port 23), FTP (port 21), and NNTP (port 119), so far.
I'm planing to add IRC, and various SSL-based protocols as well.

I am a mere user, so I all this stuff sounds to me like giberish.

The right solution is to capture the request to these DNS servers, and
send to a custom server with a static message "warning.html". Nothing
fancy. With a phone number to "get out of jail", so people can call
to "op-out" of this thing, so can browse the internet to search for a
solution.

This or do nothing.

http://www.guardian.co.uk/world/2012/jan/18/iran-death-sentence-porn-programmer
Interpol helps Iran capture a programmer for creating porn sites.

Now, if the Interpol want you to block a DNS server, or worse, to spy
on users conecting to a DNS server. Will you help? doing nothing is
also a good option, methinks. Start medling, redirecting dns trafic,
spyiing on the user... all these things are dirty and can't end well.

(note, of course, I am a user, so I have a user opinion. )

Not all DNS lookups are for websites. The lookup could be for NTP, or SMTP,
or ssh, or a World of Warcraft server, or....

thank you.

in this case, the fbi/dns-changer case, the information is pretty
straightforward for theisp folk... 'client machine makes dns queries
not to the isp dns server (or one of several free dns services), but
to a known bad set of netblocks'

the easy fix is to just stand up (forever, ha!) dns servers on the ip
blocks inside the ISP's network, done and done... they can then start
notifying the customers via mail/email/carrier-pidgeon that they are
infected, along with instructions about how to get un-infected.

-chris

I am a mere user, so I all this stuff sounds to me like giberish.

The right solution is to capture the request to these DNS servers, and
send to a custom server with a static message "warning.html". Nothing
fancy. With a phone number to "get out of jail", so people can call
to "op-out" of this thing, so can browse the internet to search for a
solution.

in this case, the fbi/dns-changer case, the information is pretty
straightforward for theisp folk... 'client machine makes dns queries
not to the isp dns server (or one of several free dns services), but
to a known bad set of netblocks'

the easy fix is to just stand up (forever, ha!) dns servers on the ip
blocks inside the ISP's network, done and done...

given the size and distribution of the ip blocks in question I doubt
very much that they will go unused forever...

from a previous message in this thread.

  Quoting the FBI:
  85.255.112.0 through 85.255.127.255
  67.210.0.0 through 67.210.15.255
  93.188.160.0 through 93.188.167.255
  77.67.83.0 through 77.67.83.255
  213.109.64.0 through 213.109.79.255
  64.28.176.0 through 64.28.191.255

which map quite nice to various rir prefix assigments. it's almost like
someone cribbed the whois inetnum field when they loaded their scattergun...

inetnum: 85.255.112.0 - 85.255.127.255

while I have no doubt that some of those prefixes my be run by rather
than simply host to bad actors, if they're returned to rirs, they will
be assigned again, so a static filter policy will return to bite us
again like it always does.

sure, so you are saying there's a timelimit on how long the supposed
ISP can run this infrastructure... and that they have until then to
lower their loss rate(s) when customers are cutoff and call their
support center because: "The Intertubes are down!".

sounds accurate to me... of course, they've already been getting
notifications of infected folks, so hopefully they have a jump on the
problem already?

it's wishful thinking monday!
-chris

Either you don't log the data on the webserver, or you notify the
user that the POST form data has now been posted, and display the link
to the public web page where their posted data now appears, on the
error page.

Once your user has shared "confidential" information unsolicited with
an unknown third party, and the general public, the information's
confidentiality was spoiled by the act of posting, regardless of the
content of the information

I see lawyers booking their vacations in Tahiti now.....

Here is a repeat
http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/

-henry