Re: FW: [Full-Disclosure] Question for DNS pros

From: Frank Knobbe (
Date: 08/04/04

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap"
    To: John Hall <>
    Date: Tue, 03 Aug 2004 22:17:50 -0500

    On Tue, 2004-08-03 at 20:38, John Hall wrote:
    > In general, most sites use local forwarding DNS servers that do the
    > recursive lookups for all the clients at that site, so our probes
    > measure the RTT from each datacenter to that forwarding DNS server
    > and maintain that data so we can make intelligent decisions the next
    > time a client from that site (via that local forwarder) makes a request.

    Okay. I'm not sure how that would help since the server could just send
    the reply. Actually, it could have sent several during the time it takes
    to measure the round trip time. But this is not the place to discuss
    3DNS merits.

    What is strange, though, is the fact that the load-balancer sent those
    packets without actually receiving a request. The dump I provided span
    most of the night, filtered on that host, and there are no DNS queries
    being sent to the load-balanced DNS server. Instead, it appears like the
    load-balancer is just unsolicited probes. It is, however, possible that
    these are responses to spoofed packets that the load-balanced server
    received from someplace else.

    But wouldn't that make 3DNS an amplifier in a DoS attack? I guess it
    depends on how it is configured. Seems so that, when configured wrong
    with an overly aggressive configuration, it will respond with a multiple
    of probes packets to a single spoofed reply.

    The problem goes like this. An attacker sends a single spoofed UDP
    packet, spoofing the IP of his target, to a handful of 3DNS
    load-balanced DNS servers. Each load-balancer will send a series of
    probes to the target. If not usable for a denial-of-service attack (due
    to low volume), then at least it can be misused to generate a cover of
    suspicious traffic that the attack can use to hide his own little
    reconnaissance packets in.

    Don't get me wrong, I'm not complaining about 3DNS. I'm just questioning
    whether it really is useful to produce a series of probes in response to
    a potentially spoofed packet.

    > That does look like a full set of 3-DNS probes. We generally recommend
    > that our customers only configure two probe methods. Looks like this
    > guy has all of the probe methods configured. Since your firewall doesn't
    > respond at all, it's trying each method in turn. The traffic does look
    > like it's pretty low volume, so I guess your major concern is being
    > woken up at 4am with IDS alerts

    Not really. It is generating about 300 annoying packets a day. The issue
    is that it appears to be hard to distinguish this from a real attack (in
    case of the UDP queries). I'm planning on writing signatures for the TCP
    SYN scan to ignore these 3DNS probes. But the UDP queries for "." and
    the reverse IP address are things that need to cause an alert since they
    could be part of a human-driven recon/attack. I'm hesitant to turn a
    blind eye on those...

    > Currently, I don't know of any specific signature other than the ID
    > field that would help identify our "." probes. I'll ask around.

    Please do. As mentioned earlier, a fixed IPID might work. But then
    again, an intruder could use those values to do his dirty work, and (by
    making the packets look identical to 3DNS probes) slip under a radar

    Perhaps the only solution is to build a list of 3DNS IP addresses and
    ignore these type alerts from those addresses.

    Thought anyone? (If anyone is still following ... :)



    Full-Disclosure - We believe in it.

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap"