lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BANLkTineExnvvVrN=m4D=3ocTMSx3m0rxw@mail.gmail.com>
Date: Thu, 19 May 2011 18:55:24 +0200
From: joris dedieu <joris.dedieu@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: New DDoS attack vector

2011/5/19 minor float <minor.float@...il.com>

> Dear list readers, on today we officially published our observations
> regarding the new attack vector of the DDoS against the DNS servers.
>
> A full story can be read here http://www.zone-h.org/news/id/4739
>
> Here is the excerpt.
>
>
> The attack phases are as follows:
>
> The attacker obtains the IP address /​host­name of the tar­get DNS server.
>
> The attacker updates the NS records of the pre-​registered domain foo
> -domain​.com with the IP address /​host­name of the tar­get DNS
> server. Some reg­is­trars or host­ing providers do not pro­vide this
> func­tion­al­ity, many other do. There are known host­ing com­pa­nies
> and ISP that are sup­port­ing the spam [5]. After the NS records
> update the attacker waits at least 24 hours until the new records are
> prop­a­gated all over the Internet.
>

Note that it's not possible with several tld. Eg : fr  nic, afinc.net (and I
hope some other)
checks that an SOA record is present  (and much more. See
http://www.zonecheck.fr)
on the name server before updating NS records in the registry.

Now the attacker pre­pares a spam cam­paign. There are few aspects to
> note: as first, the sender mail address for the MAIL FROM can con­tain
> the same user name, but the sub­do­main — 3rd level domain must vary
> per each spam mes­sage (for exam­ple first spam mes­sage has the
> sender james@​subdom1​.​foo-​domain.​com but the sec­ond sender has to
> be james@​subdom2​.​foo-​domain.​com).
>
> The sec­ond impor­tant aspect is the selec­tion of the white horse
> sys­tems. White horse sys­tems are the SMTP incom­ing mail servers
> with a high bandwidth.
>
> Once the spam cam­paign has been started to the white horse sys­tems
> using the spam bot­net, these sys­tems check on the back­ground
> whether the sender’s domain resolves to the domain MX or at least to
> an A record. Since the NS record is set to the tar­get DNS server, the
> DNS requests will be per­formed to the tar­get DNS server.
>
> Tar­get DNS server receives mul­ti­ple reg­u­lar DNS requests for the
> bogus sub­do­main records(note that in the pre­vi­ous Denial of
> Ser­vice attacks against the DNS servers received either mal­formed,
> frag­mented, ICMP mes­sages or TCP SYN, with invalid length, or
> over­sized and some of these can be fil­tered by the fire­walls or
> secu­rity appli­ances). Since the DNS server does not have the records
> for the foo​-domain​.com, it has to respond neg­a­tively to the
> request. If the spam cam­paign is suc­cess­ful, the white horse
> sys­tems flood the DNS server with mul­ti­ple valid DNS requests.
>
> Regards
>
> Jakub Alimov [Seznam.cz]
> minor [zone-h.org]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ