lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BANLkTimL4BxitPzwZ34M85ROGPouwRywoQ@mail.gmail.com>
Date: Thu, 19 May 2011 16:44:06 +0200
From: minor float <minor.float@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: New DDoS attack vector

Dear list readers, on today we officially published our observations
regarding the new attack vector of the DDoS against the DNS servers.

A full story can be read here http://www.zone-h.org/news/id/4739

Here is the excerpt.


The attack phases are as follows:

The attacker obtains the IP address /​host­name of the tar­get DNS server.

The attacker updates the NS records of the pre-​registered domain foo
-domain​.com with the IP address /​host­name of the tar­get DNS
server. Some reg­is­trars or host­ing providers do not pro­vide this
func­tion­al­ity, many other do. There are known host­ing com­pa­nies
and ISP that are sup­port­ing the spam [5]. After the NS records
update the attacker waits at least 24 hours until the new records are
prop­a­gated all over the Internet.
Now the attacker pre­pares a spam cam­paign. There are few aspects to
note: as first, the sender mail address for the MAIL FROM can con­tain
the same user name, but the sub­do­main — 3rd level domain must vary
per each spam mes­sage (for exam­ple first spam mes­sage has the
sender james@​subdom1​.​foo-​domain.​com but the sec­ond sender has to
be james@​subdom2​.​foo-​domain.​com).

The sec­ond impor­tant aspect is the selec­tion of the white horse
sys­tems. White horse sys­tems are the SMTP incom­ing mail servers
with a high bandwidth.

Once the spam cam­paign has been started to the white horse sys­tems
using the spam bot­net, these sys­tems check on the back­ground
whether the sender’s domain resolves to the domain MX or at least to
an A record. Since the NS record is set to the tar­get DNS server, the
DNS requests will be per­formed to the tar­get DNS server.

Tar­get DNS server receives mul­ti­ple reg­u­lar DNS requests for the
bogus sub­do­main records(note that in the pre­vi­ous Denial of
Ser­vice attacks against the DNS servers received either mal­formed,
frag­mented, ICMP mes­sages or TCP SYN, with invalid length, or
over­sized and some of these can be fil­tered by the fire­walls or
secu­rity appli­ances). Since the DNS server does not have the records
for the foo​-domain​.com, it has to respond neg­a­tively to the
request. If the spam cam­paign is suc­cess­ful, the white horse
sys­tems flood the DNS server with mul­ti­ple valid DNS requests.

Regards

Jakub Alimov [Seznam.cz]
minor [zone-h.org]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ