New (as in today) exploit known to use port 53?

E

Exavior

[H]F Junkie
Joined
Dec 13, 2005
Messages
9,700
I thought I would post here to see if anyone else is seeing this. I work for a small Telco/ISP. We just had an issue come up in the past few hours (now that people are getting home from work / school and getting on online). There is a massive amount of incoming traffic to port 53 to a large number of users on our network. To the point where our normal load to our DNS servers is about 2 or 3Mbps. there is about 150Mbps worth of traffic using that port coming into our customer base.

We cut this off for the time being by just setting up a rule to block port 53 toward our customers.

I am not finding anything about a new zero day exploit for anything so thought I would see if anyone else know about anything or is seeing anything like their on their networks.
 
This isn't new. This is a normal DNS DDoS. Basically they use improperly configured DNS servers/users and just flood you with DNS requests. There's no exploit going on.

I hope your customers aren't actually hosting DNS, because if so, you just blackholed most of their traffic as their DNS is now down because of it.
 
I run my own DNS server... anything I need to know about this and ways to protect myself? First time I hear of it.
 
Pinski said:
This isn't new. This is a normal DNS DDoS. Basically they use improperly configured DNS servers/users and just flood you with DNS requests. There's no exploit going on.

I hope your customers aren't actually hosting DNS, because if so, you just blackholed most of their traffic as their DNS is now down because of it.
Click to expand...

Yeah, fully aware of that last part but now of them would be. They have us take care of their DNS entries for them in our servers.

Ok, so this isn't actually our customers pulling something down. But just a large percentage of our IPs (I didn't see anything about this, was just called about the issue being mitigated for now and that it was a very large percentage of our customer base) then just made their way into some list that is now all being attacked them. Guess we just wait it out and hopefully it will end before too long and unblock it then.
 
Red Squirrel said:
I run my own DNS server... anything I need to know about this and ways to protect myself? First time I hear of it.
Click to expand...

Yeah, I never heard of this either. Although my job has never been dealing with world facing DNS servers. I was the sys/net admin for the inhouse stuff with private DNS servers and then now am a network admin over our xDSL/FttH network.

Looking around some this has some tips about what to do

http://blog.trendmicro.com/trendlab...ing-dns-reflection-denial-of-service-attacks/
 
talking to our admin. After blocking the incoming traffic on port 53 that was flooding everything. He is now noticing that all of those that were being attacked are trying to query a very large TXT record from a single domain. Is that normal that the attacked device would turn around and start trying to do queries then as part of a reflected DNS DDoS attack?
 
Exavior said:
talking to our admin. After blocking the incoming traffic on port 53 that was flooding everything. He is now noticing that all of those that were being attacked are trying to query a very large TXT record from a single domain. Is that normal that the attacked device would turn around and start trying to do queries then as part of a reflected DNS DDoS attack?
Click to expand...

"What's being attacked" is actually the spoofed address.

How it works:

Something(virus/trojan/etc) causes the zombie machine to spoof the IP address of the target.

Zombie then goes and makes a bunch of DNS queries against a high-load record (a large TXT record or a DNSSEC Key, or something of that nature)

The DNS server replies to the spoofed address with a LOT of data, much more than was sent in.

The DNS replies go to target, DDoSing it.

Your servers may have done 3MB in, but you were probably doing 50+mb out in response, and you were most certainly not the only affected DNS server, so you can see how this might be "interesting"

I would not be suprised if you run a dig +x on the target IP addresses that they are from CN or VN.

This has been a very common attack vector since November of 2011.



If you're looking for protection mechanisms, I've worked in the industry and have a few you can implement.
Also notice that unless you run your DNS servers on Amazon and are charged by the microsecond of processing time, this probably won't really impact you as a DNS server at all.
You'll just have more queries.
 
mwarps said:
"What's being attacked" is actually the spoofed address.

How it works:

Something(virus/trojan/etc) causes the zombie machine to spoof the IP address of the target.

Zombie then goes and makes a bunch of DNS queries against a high-load record (a large TXT record or a DNSSEC Key, or something of that nature)

The DNS server replies to the spoofed address with a LOT of data, much more than was sent in.

The DNS replies go to target, DDoSing it.

Your servers may have done 3MB in, but you were probably doing 50+mb out in response, and you were most certainly not the only affected DNS server, so you can see how this might be "interesting"

I would not be suprised if you run a dig +x on the target IP addresses that they are from CN or VN.

This has been a very common attack vector since November of 2011.



If you're looking for protection mechanisms, I've worked in the industry and have a few you can implement.
Also notice that unless you run your DNS servers on Amazon and are charged by the microsecond of processing time, this probably won't really impact you as a DNS server at all.
You'll just have more queries.
Click to expand...

In my case though our DNS server was fine. It wasn't being bothered. And there was no spoofing involved to cause the customer data.

Our clients were sending out the request to multiple other DNS servers and getting the response from those servers for the large TXT files from a single domain. Wireshare actually did show both the request and the response. So nothing was being spoofed to cause the traffic to come back to us as our customers actually were making the request.

It was like a botnet was suddenly turned on and 3000 of our customers were being used to do the DDoS against a few DNS servers.

Which is why I had asked would have be normal that the spoofed IP address after having the first response from the DNS server hit it would then for some odd reason take over and start requesting more stuff repeatedly on its own. To me it seems more like we just have a massive virus infection on our customer base and they were being used for something bad more than something outside our network just using our IPs for spoofing and us seeing the fallback.
 
You must log in or register to reply here.
Back
Top