Posted Tuesday 10th February 2009 08:35 GMT
Firewalls at the ISP end of the link are normally more effective as they save your link bandwidth.
If its your business, use multiple links for different types of traffic or have bandwidth management running at both ends of the link. Internally generated traffic (that includes DNS, email, outbound http etc) shouldn't be able to interfere with income-generating inbound http. A decent ISP should be willing to filter port 53 (stateless router ACLs are fine) at their end.
Security - its about risk management.
There's an opportunity for ISP's here. For traffic to/from the internet, most organisations have relatively static requirements. I suspect the reason this hasn't taken off is outrageous pricing attached to such options. Virtual machines running OSS firewalls under customer control are probably all most organisations actually need.
Posted Tuesday 10th February 2009 09:17 GMT
For one thing, only version of BIND earlier than 9.4 are vulnerable in the "best practice" configuration to the amplification effect. In 9.4 and later with recursion disabled for external clients, the response to the forged requests is "REFUSED", rather than the list of root servers. This makes the reflected traffic actually slightly smaller than the original request, thus defeating the amplification.
Also, it is possible to block the forged datagrams with a firewall without blackholing the victim. The vast majority (all?) of the victim DNS servers are authoritative-only servers that don't service requests for recursion, so blocking datagrams coming "from" them that have a source port other than 53, and destination port of 53 is completely safe. It's also possible in some firewalls to use byte-offset inspection features to specifically block requests for '.' going to your DNS servers.
There have been extensive discussions on the NANOG, BIND-users, and dnsops mailing lists. It's certainly recommended reading. Google is your friend here (hint, use site:). Try "amplification", "queries for root", "./NS/IN", "dns ddos", etc...
http://www.merit.edu/mail.archives/nanog/
http://marc.info/?l=bind-users&r=1&w=2
https://lists.dns-oarc.net/pipermail/dns-operations/
As a final note, I wrote a quick & dirty log parser that examines BIND log for the current hour to see how many queries for '.' there have been and what IPs are being targeted by them:
http://www.SMTPS.net/pub/dns-amp-watch.pl
--
chort
Posted Tuesday 10th February 2009 09:17 GMT
"(Readers who know how to change this default behavior for other packages are invited to leave a comment or contact me using this link)."
Dan,
MeThinks that is Proprietary [Private Patents Pending in Published Prior Art] Information of QuITe Considerable Priceless Value.
Posted Tuesday 10th February 2009 10:09 GMT
ISPs could easily block packets with a spoofed source address. I know that they will complain that there's a cost associated with so doing, but they seem to be able to fund deep packet inspection so that they can throttle P2P traffic.
I realise that we can't realistically expect every ISP to do this but, even if only the major ones did, it could substantially reduce many forms of DDoS attack.
Posted Tuesday 10th February 2009 10:58 GMT
Correct but yes, you can expect EVERY SINGLE ISP to pull their finger out and block spoofed IP addresses. Apart from the illegality of it, it wastes their bandwidth (important for small ISPs).
Any ISP which is not blocking spoofed IP addresses should be blocked upstream from accessing the internet. This will lose them customers and encourage them to pull their finger out.
And yes, universities etc are ISPs in this context and shoudl be blocked as a matter of course !!
Posted Tuesday 10th February 2009 11:34 GMT
Dammit; stop putting those NSFW URLs and domain names in your news stories!
Must..... Resist... Temptation....
(Incidentally, kudos to 'chort' for using the phrase "quick & dirty log parser" in the context of a story about tranny porn site ; )
Anon, 'cos I know they're watching me...
Posted Tuesday 10th February 2009 11:34 GMT
And here's a tale of chasing the dragon/horse that has bolted ...... http://www.guardian.co.uk/technology/2009/feb/10/obama-review-cyber-security ..... which is more than just a bit relevant.
Posted Tuesday 10th February 2009 12:31 GMT
If packet inspection for spoofing of the origin isn't practical, can't simple accounting help ? It seems capping total DNS responses per (potentially spoofed) origin would severly reduce the interest of using DNS servers as DDoS amplifiers.
Posted Tuesday 10th February 2009 13:03 GMT
The simple answer is that the whole Internet needs a overhaul. The protocols, and proberbly even the orginal ideas, were not for what the Internet has become. The may be fine for what the Internet should be, but not what it is.
Mines the one with the torn up RFC's in the pocket.
Posted Tuesday 10th February 2009 13:03 GMT
The one that I first got to know, the one full of programming and scientific information, the one where leaving services open was a courtesy and not a security hole... When did that internet die?
Was it when we let the great unwashed in and then commercial entities decided to cash in?
Screw it, I'm off to make own internet, with blackjack. And hookers. In fact forget the internet....
Posted Tuesday 10th February 2009 13:03 GMT
"novel way to inflict major damage on hardened targets"
Porn? Hardened? Suit yourselves!
Posted Tuesday 10th February 2009 13:11 GMT
Spot on guys! I was thinking this myself as there's no legitimate use for spoofing the sender's address.
Is spoofing covered by an RFC? If so then filtering can be implemented without delay as a simple engineering issue. Otherwise, as long as it's in the ISP's terms and conditions then users are aware that packets will be filtered to prevent spoofing.
Posted Tuesday 10th February 2009 14:26 GMT
So the DDoS attacks that are being targeted at some of the bigger names in the security industry also appear to be targeting transvestite sites. Now theirs a botnet owner who appears to have serious issues with regards to their own sexuality!
Posted Tuesday 10th February 2009 14:26 GMT
I'm pretty sure that's the Internet we alreay have again mate!
Paris? Because I can't believe she's not here already (at the time of reading) on comments about Internet prawn!
Posted Tuesday 10th February 2009 15:31 GMT
As discussed on ISC/SANS, snort_inline + the Emerging Threats ruleset stopped this dead in its tracks. It is, indeed, unfortunate that packet filtering needs to be done at this level these days, but it's becoming an all too common reality. If anyone is interested, ET SID 2009030 in the emerging.rules set is the one to slot in. You may also want to examine your recursive and query cache restrictions, although you're still going to be contributing to this with your recursion denial replies without a decent ruleset on your firewall. It is better not to have the query reach the nameserver in the first place. Another method would possibly be to verify the path against the packet's TTL (some firewalls, I believe, can do this as an anti-spoof method) but, again, this uses up bandwidth, both this end and that of the host that is already under attack.
I did get a reply from Nationalnet's abuse@ contact when all this started (over a fortnight ago now), which was rather informative. However, I don't have permission to forward or disclose its contents. Suffice to say the admins on the receiving end of this are well aware of what's going on and we in the middle have evolved our methods of detecting and mitigating this type of DoS amplification attack quite sufficiently to be able to handle it if it rears its head again. DNS is, and always will be in this incarnation, insecure. We've known this for ages. This type of attack was always possible, especially given the UDP spoofing ability of people using ISPs without egress filtering and sanity checks on their edge routers. This, I believe, is the root of the problem: ISPs' routers passing packets that a cursory glance at the headers would confirm could not have originated from the address it claims to have come from.
Naturally, this attack is still ongoing. My snort logs show roughly two events a second for different IPs, with these IPs changing all the time (89.149.221.182, Netdirect, is the latest). There were some reports of the miscreants turning on the mail server if their attack was blocked on port 53 but, with SMTP requiring TCP, I very much doubt this as it would expose the source IP addresses rather quickly, leading us to at least the botnet. I certainly haven't seen any increase in port 25 activity and, believe me, I AM monitoring everything very closely.
Posted Tuesday 10th February 2009 15:31 GMT
There's no RFC that I'm aware of that says providers should accept traffic from their customers with clearly forged origins. On the other hand, BCP38/RFC2827 has existed since 2000 and describes what ISPs should do to filter their traffic to prevent exactly this sort of attack. Sadly, most providers do not filter traffic from their customers to prevent packets with source IP addresses that are not within the networks they advertise.
Posted Tuesday 10th February 2009 15:53 GMT
"Sadly, most providers do not filter traffic from their customers to prevent packets with source IP addresses that are not within the networks they advertise."
So we need an RFC that says BCP on the backbone is to drop packets from ISPs who fail to introduce such filtering.
Posted Tuesday 10th February 2009 16:51 GMT
The article mentioned this being the work of the BlackEnergy toolkit, so how do PC's get BotNets, the simple answer, people with infected windows machines and that leads me to my next question how often does your internet provider go that one step further and provide the home user with a firewall to go with their new ADSL modem, the answer to that, never!
So you've got all these machines with no firewall being stolen off their owners and turned into a Bot-Net.
The BlackEnergy Toolkit was written by a Russian hacker by the name of Crash (Cr4sh) if your looking for someone to blame, I suggest we turn our attention in his direction.
I even found his website, where he uploads, trojans and more bot kits for windows machines.
I can only close by saying I hope the FSB and KGB go knocking on his door!
Posted Tuesday 10th February 2009 16:51 GMT
If people that released these kind of BotNet toolkits got made an example of and kids where educated better as to why its illegal to go cracking machines they dont own, then the whole internet would be a better experience for us all.
This post has been deleted by a moderator
This post has been deleted by a moderator
Posted Tuesday 10th February 2009 22:37 GMT
That internet has been going away for the last 10 years.
- I used to be able to telnet into the campus' RS/6000 workstations. Not anymore.
- I used to have *public* *routeable* IP addys at my campus, work, or wherever I had internet access. Not anymore.
- I used to be able to finger most UNIX/Linux servers on the net, and even "talk user@somewhere.edu" every now and then. Finger was one of the first services blocked for "security reasons".
- I used to see people who blocked port 23,25,110 from the internet as rude people. Now *I* have to block them down, as well as port 22 to keep the botnets at bay.
The Internet lost its "interconnected" appeal the day we started using the "private" IPs; which are basically a stop-gap solution to avoid running out of IPv4 space. Now with this DNS exploit, it seems that DNS servers are going to lose their adaptability: if root servers change, I should be able to ask any DNS for this. But it seems that thanks to the botnets, this will be blocked as well.
I want my 1996 internet back.
Posted Wednesday 11th February 2009 12:47 GMT
"if root servers change, I should be able to ask any DNS for this. But it seems that thanks to the botnets, this will be blocked as well."
Root server lists are still handled the same way they were back when I started using the Internet in the early '90s: a flat text file that you download from INTERNIC. There's also a fall-back copy hard-coded into BIND.
Also, the demise of the "interconnected" Internet didn't start with RFC1918 IP addresses, it started with the Morris Worm when people realized that a default-trusting security model didn't make any sense if there was so much as one malicious user on the network.
Get your history straight.
Since I'm writing this, I might as well tell Enigma9 to pull their head out from between their legs as well. Modern malware isn't written for clueless script kiddies, it's written for calculating criminals. Thinking that giving youngsters a sobering lesson will stop Internet attacks is mind-numbingly naïve. Are you perhaps an incarnation of n3td3v? You're as uninformed, but loudly opinionated as that twit. Get a job you waste of electrons.
--
chort
Posted Wednesday 11th February 2009 15:28 GMT
The Russians might already be using Cr4sh's services...
Posted Wednesday 11th February 2009 23:09 GMT
"So the DDoS attacks that are being targeted at some of the bigger names in the security industry also appear to be targeting transvestite sites. Now theirs a botnet owner who appears to have serious issues with regards to their own sexuality!"
Kinda my first thought too.
But then I immediately had another idea: maybe they are just testing the waters with some targets that few will care about (OK, few will *publicly admit* caring about), to later use these techniques on the real, juice, profitable targets they have.
Posted Thursday 12th February 2009 01:46 GMT
Chris Miller: excellent post! Spot on.
Adrian wrote "Apart from the illegality of it" - at first I thought he was saying the filtering was illegal, not the address spoofing!
AC: very funny!
Hardened? Well, aside from the double entendre, sure! Porn sites make money. Lots of money. So of course they'll be hardened.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Back to the article
