Re: FW: [Full-Disclosure] Question for DNS pros
From: Frank Knobbe (frank_at_knobbe.us)
To: John Hall <email@example.com> Date: Tue, 03 Aug 2004 22:17:50 -0500
On Tue, 2004-08-03 at 20:38, John Hall wrote:
> In general, most sites use local forwarding DNS servers that do the
> recursive lookups for all the clients at that site, so our probes
> measure the RTT from each datacenter to that forwarding DNS server
> and maintain that data so we can make intelligent decisions the next
> time a client from that site (via that local forwarder) makes a request.
Okay. I'm not sure how that would help since the server could just send
the reply. Actually, it could have sent several during the time it takes
to measure the round trip time. But this is not the place to discuss
What is strange, though, is the fact that the load-balancer sent those
packets without actually receiving a request. The dump I provided span
most of the night, filtered on that host, and there are no DNS queries
being sent to the load-balanced DNS server. Instead, it appears like the
load-balancer is just unsolicited probes. It is, however, possible that
these are responses to spoofed packets that the load-balanced server
received from someplace else.
But wouldn't that make 3DNS an amplifier in a DoS attack? I guess it
depends on how it is configured. Seems so that, when configured wrong
with an overly aggressive configuration, it will respond with a multiple
of probes packets to a single spoofed reply.
The problem goes like this. An attacker sends a single spoofed UDP
packet, spoofing the IP of his target, to a handful of 3DNS
load-balanced DNS servers. Each load-balancer will send a series of
probes to the target. If not usable for a denial-of-service attack (due
to low volume), then at least it can be misused to generate a cover of
suspicious traffic that the attack can use to hide his own little
reconnaissance packets in.
Don't get me wrong, I'm not complaining about 3DNS. I'm just questioning
whether it really is useful to produce a series of probes in response to
a potentially spoofed packet.
> That does look like a full set of 3-DNS probes. We generally recommend
> that our customers only configure two probe methods. Looks like this
> guy has all of the probe methods configured. Since your firewall doesn't
> respond at all, it's trying each method in turn. The traffic does look
> like it's pretty low volume, so I guess your major concern is being
> woken up at 4am with IDS alerts
Not really. It is generating about 300 annoying packets a day. The issue
is that it appears to be hard to distinguish this from a real attack (in
case of the UDP queries). I'm planning on writing signatures for the TCP
SYN scan to ignore these 3DNS probes. But the UDP queries for "." and
the reverse IP address are things that need to cause an alert since they
could be part of a human-driven recon/attack. I'm hesitant to turn a
blind eye on those...
> Currently, I don't know of any specific signature other than the ID
> field that would help identify our "." probes. I'll ask around.
Please do. As mentioned earlier, a fixed IPID might work. But then
again, an intruder could use those values to do his dirty work, and (by
making the packets look identical to 3DNS probes) slip under a radar
Perhaps the only solution is to build a list of 3DNS IP addresses and
ignore these type alerts from those addresses.
Thought anyone? (If anyone is still following ... :)
Full-Disclosure - We believe in it.
- application/pgp-signature attachment: This is a digitally signed message part