Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: NT Compromise -- Update -- SRC PORT: 53 traffic

From: "Bill Royds" <broyds () rogers com>
Date: Mon, 24 Dec 2001 17:50:39 -0500
DNS can be used as an amplifier for a "smurf" type attack, which seems to be the case here.
What an attacker does is send a large series of DNS requests to many fast server, with the victims address as the 
return address.
  Since DNS queries are UDP, there is no connection needed. The return packets are very much larger than the query, so 
a few K worth of queries returns megabytes worth of answers, all directed at the victim, not the perpetuator.
The attacker has to chose the sites to query carefully to maximized the attack. She wants to have a large packet 
returned but not more than the MTU (about 1500 bytes). If it is more than MTU, the DNS server will attempt to initiate 
a TCP format query, which fails. 

It is using a DNS server in your range to maximize the bandwidth amplification, so I would suggest looking at the 
server that is apparently attacking you and asking it to pace replies to you to avoid the attack. Another tactic is to 
ask bandwidth limit replies to you.
Both of these IP's are victims, although yours gets the effect of amplification more. 

-----Original Message-----
From: Loki [mailto:loki () fatelabs com]
Sent: Mon December 24 2001 14:31
To: incidents () securityfocus com
Subject: NT Compromise -- Update -- SRC PORT: 53 traffic


I should mention that the packets were flooding our DNS server, enough
traffic to saturate and bring down our T1. Please note that again, the
port 53 was not the DST port, rather, the SRC port of each packet.


-- 


============================================================
Loki
Founder, Chief Research Scientist
Fate Research Labs
United States VPN Division
------------------------------------------------------------
[w] http://www.fatelabs.com
[e] loki () fatelabs com
[p] +1 412 303 3115
------------------------------------------------------------
"Ipsa Scientia Potestas Est" Knowledge itself is power.
============================================================


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: