Full Disclosure mailing list archives
Re: New DDoS attack vector
From: joris dedieu <joris.dedieu () gmail com>
Date: Thu, 19 May 2011 18:55:24 +0200
2011/5/19 minor float <minor.float () gmail com>
Dear list readers, on today we officially published our observations regarding the new attack vector of the DDoS against the DNS servers. A full story can be read here http://www.zone-h.org/news/id/4739 Here is the excerpt. The attack phases are as follows: The attacker obtains the IP address /hostname of the target DNS server. The attacker updates the NS records of the pre-registered domain foo -domain.com with the IP address /hostname of the target DNS server. Some registrars or hosting providers do not provide this functionality, many other do. There are known hosting companies and ISP that are supporting the spam [5]. After the NS records update the attacker waits at least 24 hours until the new records are propagated all over the Internet.
Note that it's not possible with several tld. Eg : fr nic, afinc.net (and I hope some other) checks that an SOA record is present (and much more. See http://www.zonecheck.fr) on the name server before updating NS records in the registry. Now the attacker prepares a spam campaign. There are few aspects to
note: as first, the sender mail address for the MAIL FROM can contain the same user name, but the subdomain — 3rd level domain must vary per each spam message (for example first spam message has the sender james@subdom1.foo-domain.com but the second sender has to be james@subdom2.foo-domain.com). The second important aspect is the selection of the white horse systems. White horse systems are the SMTP incoming mail servers with a high bandwidth. Once the spam campaign has been started to the white horse systems using the spam botnet, these systems check on the background whether the sender’s domain resolves to the domain MX or at least to an A record. Since the NS record is set to the target DNS server, the DNS requests will be performed to the target DNS server. Target DNS server receives multiple regular DNS requests for the bogus subdomain records(note that in the previous Denial of Service attacks against the DNS servers received either malformed, fragmented, ICMP messages or TCP SYN, with invalid length, or oversized and some of these can be filtered by the firewalls or security appliances). Since the DNS server does not have the records for the foo-domain.com, it has to respond negatively to the request. If the spam campaign is successful, the white horse systems flood the DNS server with multiple valid DNS requests. Regards Jakub Alimov [Seznam.cz] minor [zone-h.org] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New DDoS attack vector minor float (May 19)
- Re: New DDoS attack vector joris dedieu (May 19)
- Re: New DDoS attack vector Dobbins, Roland (May 19)
- Re: New DDoS attack vector Kristian Erik Hermansen (May 20)
- Re: New DDoS attack vector Balder (May 20)
- Re: New DDoS attack vector Kristian Erik Hermansen (May 20)
- Re: New DDoS attack vector Balder (May 20)
- Re: New DDoS attack vector minor float (May 20)
- Re: New DDoS attack vector Balder (May 20)
- Re: New DDoS attack vector Kristian Erik Hermansen (May 20)
- Message not available
- Re: New DDoS attack vector ascii (May 20)
- Re: New DDoS attack vector minor float (May 20)
- Re: New DDoS attack vector Dobbins, Roland (May 20)