Hi All,
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
Anyone else?
Regards,
Leland
That might explain akamai.net hostnames not resolving intermittently since Tue Nov 29 20:20:02 2011 UTC...
I don't run any authoritative or exposed caches at the moment, and the aka NXDOMAINs are the only thing we've been seeing dropouts on for the past ~48 hours, but we did see NXDOMAINs from a bunch of amazonaws hostnames over the holidays...
Once upon a time, Leland Vandervort <leland@taranta.discpro.org> said:
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
I'm seeing something similar. The requests are to our authoritative
servers, and appear to be mostly for a small number of domains at a time
(they are all domains we are authoritative for). They are all ANY
queries, often repeated for the same domain rapidly. The requests come
from one IP at a time, but move to another IP in a minute or two.
This does NOT appear to be related to the recent BIND vulnerability.
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone.
Is country even relevant in the cyberscape?
Andrew
Reading comprehension, Andrew. Leland never said the Chinese were behind it,
he never even said the packets came from China. He said the packet origins
were from Chinese IP addresses.
And yes, country *is* relevant in the cyberscape. For starters, it defines how
much cooperation you'll get in tracking, arresting, and prosecuting the
offenders. The US has had a lot more success in apprehending Gary McKinnon than
the perpetrators of Titan Rain. It's almost certainly due to the fact that
McKinnon was in Glasgow and the Titan Rain people weren't.
An attack originating from somewhere indicates the presence of either
an attacker or a compromised host. A particular density of either in
a particular geographical area would seem like an interesting data
point.
--Richard
Except in this case it's a DNS attack, which implies UDP based and easily spoofed. The source IP may or may not actually be accurate.
Ken
Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want)
The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops)
And yes we saw the ANY queries for all the domains.
I still wonder how it is still possible that ip addresses can be spoofed nowadays
Rob
Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains.
I still wonder how it is still possible that ip addresses can be spoofed nowadays
From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com]
Sent: Wednesday, November 30, 2011 3:05 PM
To: MatlockK@exempla.org; richard.barnes@gmail.com; andrew.wallace@rocketmail.com
Cc: nanog@nanog.org; leland@taranta.discpro.org
Subject: RE: Recent DNS attacks from China?Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains.
I still wonder how it is still possible that ip addresses can be spoofed nowadays
We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less. We're seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which unfortunately gives a 492 byte response.
Yup.. they're all "ANY" requests. The varying TTLs indicates that they're most likely spoofed. We are also now seeing similar traffic from RFC1918 "source" addresses trying to ingress our network (but being stopped by our border filters).
Looks like the kiddies are playing....
Other than being non-compliant, is an "ANY" query used by any major
software? Could someone rate limit ANY responses to mitigate this
particular issue?
Once upon a time, Joel Maslak <jmaslak@antelope.net> said:
Other than being non-compliant, is an "ANY" query used by any major
software? Could someone rate limit ANY responses to mitigate this
particular issue?
I believe qmail still uses ANY lookups.
Since it is spoofed traffic we block the "source", so not participating in flooding the real ip address.
The real issue is verify unicast reverse path not being implemented. So that the ip addresses cannot be spoofed!
(unless we are dealing with some major unknown vurlnerabilities in our infrastructure)
After a few days we will unblock again.
Regards,
Rob Vercouteren