NetOps: Please disable recursive DNS on all routers
Hi, HamWAN has been used as a DNS amplifier in a DDoS attack. I'm tied up with acquiring some chip fab gear the next couple days (yay!). Can I ask you guys with net ops access to go through the whole network and disable DNS service everywhere? Example of problem: eo@jo ~ $ dig @44.24.240.133 google.com. A +recurse ; <<>> DiG 9.9.2 <<>> @44.24.240.133 google.com. A +recurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65363 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 300 IN A 173.194.33.70 google.com. 300 IN A 173.194.33.66 google.com. 300 IN A 173.194.33.69 google.com. 300 IN A 173.194.33.65 google.com. 300 IN A 173.194.33.68 google.com. 300 IN A 173.194.33.72 google.com. 300 IN A 173.194.33.73 google.com. 300 IN A 173.194.33.64 google.com. 300 IN A 173.194.33.71 google.com. 300 IN A 173.194.33.67 google.com. 300 IN A 173.194.33.78 ;; Query time: 51 msec ;; SERVER: 44.24.240.133#53(44.24.240.133) ;; WHEN: Sat Oct 12 22:56:37 2013 ;; MSG SIZE rcvd: 204 PS: We gotta get some automation up in here for config control. --Bart
I'll be working on it this morning. Nigel On Oct 12, 2013, at 11:32 PM, Bart Kus wrote:
Hi,
HamWAN has been used as a DNS amplifier in a DDoS attack. I'm tied up with acquiring some chip fab gear the next couple days (yay!). Can I ask you guys with net ops access to go through the whole network and disable DNS service everywhere? Example of problem:
eo@jo ~ $ dig @44.24.240.133 google.com. A +recurse
; <<>> DiG 9.9.2 <<>> @44.24.240.133 google.com. A +recurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65363 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;google.com. IN A
;; ANSWER SECTION: google.com. 300 IN A 173.194.33.70 google.com. 300 IN A 173.194.33.66 google.com. 300 IN A 173.194.33.69 google.com. 300 IN A 173.194.33.65 google.com. 300 IN A 173.194.33.68 google.com. 300 IN A 173.194.33.72 google.com. 300 IN A 173.194.33.73 google.com. 300 IN A 173.194.33.64 google.com. 300 IN A 173.194.33.71 google.com. 300 IN A 173.194.33.67 google.com. 300 IN A 173.194.33.78
;; Query time: 51 msec ;; SERVER: 44.24.240.133#53(44.24.240.133) ;; WHEN: Sat Oct 12 22:56:37 2013 ;; MSG SIZE rcvd: 204
PS: We gotta get some automation up in here for config control.
--Bart
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
I didn't notice during my San Jose trip...did all the DNS services get shut down as expected? --Bart On 10/13/2013 7:41 AM, Nigel Vander Houwen wrote:
I'll be working on it this morning.
Nigel
On Oct 12, 2013, at 11:32 PM, Bart Kus wrote:
Hi,
HamWAN has been used as a DNS amplifier in a DDoS attack. I'm tied up with acquiring some chip fab gear the next couple days (yay!). Can I ask you guys with net ops access to go through the whole network and disable DNS service everywhere? Example of problem:
eo@jo ~ $ dig @44.24.240.133 google.com. A +recurse
; <<>> DiG 9.9.2 <<>> @44.24.240.133 google.com. A +recurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65363 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;google.com. IN A
;; ANSWER SECTION: google.com. 300 IN A 173.194.33.70 google.com. 300 IN A 173.194.33.66 google.com. 300 IN A 173.194.33.69 google.com. 300 IN A 173.194.33.65 google.com. 300 IN A 173.194.33.68 google.com. 300 IN A 173.194.33.72 google.com. 300 IN A 173.194.33.73 google.com. 300 IN A 173.194.33.64 google.com. 300 IN A 173.194.33.71 google.com. 300 IN A 173.194.33.67 google.com. 300 IN A 173.194.33.78
;; Query time: 51 msec ;; SERVER: 44.24.240.133#53(44.24.240.133) ;; WHEN: Sat Oct 12 22:56:37 2013 ;; MSG SIZE rcvd: 204
PS: We gotta get some automation up in here for config control.
--Bart
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
Yes. DNS was disabled in the firewall at the edge router, as well as all modems and routers at the sites had remote DNS queries disabled. Nigel On Oct 16, 2013, at 11:05 PM, Bart Kus wrote:
I didn't notice during my San Jose trip...did all the DNS services get shut down as expected?
--Bart
On 10/13/2013 7:41 AM, Nigel Vander Houwen wrote:
I'll be working on it this morning.
Nigel
On Oct 12, 2013, at 11:32 PM, Bart Kus wrote:
Hi,
HamWAN has been used as a DNS amplifier in a DDoS attack. I'm tied up with acquiring some chip fab gear the next couple days (yay!). Can I ask you guys with net ops access to go through the whole network and disable DNS service everywhere? Example of problem:
eo@jo ~ $ dig @44.24.240.133 google.com. A +recurse
; <<>> DiG 9.9.2 <<>> @44.24.240.133 google.com. A +recurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65363 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;google.com. IN A
;; ANSWER SECTION: google.com. 300 IN A 173.194.33.70 google.com. 300 IN A 173.194.33.66 google.com. 300 IN A 173.194.33.69 google.com. 300 IN A 173.194.33.65 google.com. 300 IN A 173.194.33.68 google.com. 300 IN A 173.194.33.72 google.com. 300 IN A 173.194.33.73 google.com. 300 IN A 173.194.33.64 google.com. 300 IN A 173.194.33.71 google.com. 300 IN A 173.194.33.67 google.com. 300 IN A 173.194.33.78
;; Query time: 51 msec ;; SERVER: 44.24.240.133#53(44.24.240.133) ;; WHEN: Sat Oct 12 22:56:37 2013 ;; MSG SIZE rcvd: 204
PS: We gotta get some automation up in here for config control.
--Bart
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
participants (2)
-
Bart Kus -
Nigel Vander Houwen