More DDoS trouble in DNS land? [UPDATED]

update:

full technical details on how the attack works at:
http://www.isotf.org/news/dns-amplification-attacks.pdf

as a reply to my latest bugtraq post, v9 emailed this:

while you’re on the subject of the potentials of dosing using dns servers, i noticed several months ago some possible abuses myself, although i soon lost interest for some reason or another.

i noticed that a portion of the worlds dns servers for some reason or another send back large amounts of duplicate replies if, and only if, the domain being resolved does not exist.

the amount of duplicates seems to range between 2 and 24(in steps of 2, 4, 8, 12, 16, 20 and 24), where each reply packet is roughly 2.5x(including ip header) larger than the original request(because of the soa). so, for example one request to a dns server that sends 24 dups back would roughly equal 60x(24*2.5) amplification of data.

an example of a random server i found while scanning(12 dups from one request):
————————————————-term1# host x 68.1.2.3

term2# /usr/sbin/tcpdump -n src 68.1.2.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type en10mb (ethernet), capture size 68 bytes
00:04:58.459356 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:04:58.481281 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:04:58.514411 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:01.459157 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:01.478706 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:01.512249 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:04.459512 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:04.480542 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:04.512085 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:07.458823 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:07.477374 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
00:05:07.511919 ip 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623 nxdomain 0/1/0 (94)
————————————————-

at the time i noticed this i decided to create a scanner to find out how many dns servers are susceptible to this, i found no shortage. i ran it only for a few hours starting at 68.0.0.1 and found hundreds of dns servers that sent back dup replies(mostly 12 and 8 dups).

i also created a dos tool to test the theory at the time, but i see no reason to post that.

i still don’t know the cause of this, just figured i would attach it on this subject for someone to decypher.

for anyone interested in the scanner, which is light on documentation:

http://fakehalo.us/dnsdbd-gp.c

http://fakehalo.us/dnsdbd.c

(the -gp.c version simply stores the ip of the dns server in character form so its easier to read by human eyes)

and when asked about packet captures, as i have no idea what might cause that (yet):

here are some dns servers i gathered/scanned during the time i researched
this months ago(that appear to still be up):

68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177

just remember when you test/capture packets that the domain being
resolved must not exist(ie. “x”).

i spent some time on this, and i can’t come up with a simple explanation
as to why it would be doing that, if this report is true. what would
generate these packets? apparently, being large does’t help much as
that’s how nxdomain works?

more to come.

update:

looking at this further, it seems to be the same attack with the x60
amplification effect.

we will know more when we know more.

update 2:

full technical details on how the attack works at:
http://www.isotf.org/news/dns-amplification-attacks.pdf

gadi evron,
ge@beyondsecurity.com.

Share