[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] New DDoS attack vector

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] New DDoS attack vector
From: "Dobbins, Roland" <rdobbins@xxxxxxxxx>
Date: Fri, 20 May 2011 02:24:07 +0000

On May 19, 2011, at 9:44 PM, minor float wrote:

> Dear list readers, on today we officially published our observations 
> regarding the new attack vector of the DDoS against the DNS servers.

Filtering out the bogus DNS queries generated by the MX-record lookups is 
pretty trivial with modern intelligent DDoS mitigation systems (IDMS).

The assertion that 'previous Denial of Service attacks against the DNS servers 
received either malformed, fragmented, ICMP messages or TCP SYN, with invalid 
length, or oversized and some of these can be filtered by the firewalls or 
security appliances' is demonstrably false.  DNS servers have been targeted by 
bogus queries intended to exhaust the DNS server resources directly, or via 
spoofed queries which are intended to generate reflection/amplification 
attacks, but which also have a deleterious effect on the performance of the 
abused open recursors, for many years.

The posited scenario is unnecessarily complex.  It's a heck of a lot easier to 
simply bombard targeted authoritative DNS servers with spoofed bogus queries 
from botnets and/or hit them with reflection/amplification attacks, rather than 
go through this elaborate steps of registering a domain, pointing the NS/MX 
records at the target, then generating lots of spam.

The proximate attack method described - layer-7 DDoS via excessive queries - 
isn't new or unique, and the NS-record-related steps are unnecessary.  There's 
simply no need to go to this amount of trouble to launch a DDoS attack against 
authoritative DNS servers, nor is such an attack as difficult to defend against 
as is claimed in the write-up, meaning that this attack methodology has no 
unique advantages to justify the extra steps regarding re-targeting NS/MX 
records and spam generation.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] New DDoS attack vector
  - From: Kristian Erik Hermansen

References:
- [Full-disclosure] New DDoS attack vector
  - From: minor float

Prev by Date: Re: [Full-disclosure] CCAvenue.com Payment Gateway Vulnerable SQL Injection UPDATE
Next by Date: [Full-disclosure] PHPCaptcha / Securimage 2.0.2 - Authentication Bypass - SOS-11-007
Previous by thread: Re: [Full-disclosure] New DDoS attack vector
Next by thread: Re: [Full-disclosure] New DDoS attack vector
Index(es):
- Date
- Thread