RE: NT Compromise -- Update -- SRC PORT: 53 traffic

From: Alvin Oga (alvin.sec@Mail.Linux-Consulting.com)
Date: 12/26/01 

Date: Tue, 25 Dec 2001 18:03:47 -0800 (PST)
From: Alvin Oga <alvin.sec@Mail.Linux-Consulting.com>
To: email@royds.net

hi ya loki

you folks probably know this but...thought i'd post it
for some of us... and am hoping i can get some more links
and references too

you can check if you are vulnerable to icmp smurf attacks...
        http://www.netscan.org
        http://www.powertech.no/smurf/

donno if there is a dns smurf test site
        ??
        
online dns testing
        http://www.Linux-Sec.net/audit/audit_tools.gwif.html#DNS

have fun
alvin

On Mon, 24 Dec 2001, Bill Royds wrote:

> DNS can be used as an amplifier for a "smurf" type attack, which seems to be the case here.
> What an attacker does is send a large series of DNS requests to many fast server, with the victims address as the return address.
> Since DNS queries are UDP, there is no connection needed. The return packets are very much larger than the query, so a few K worth of queries returns megabytes worth of answers, all directed at the victim, not the perpetuator.
> The attacker has to chose the sites to query carefully to maximized the attack. She wants to have a large packet returned but not more than the MTU (about 1500 bytes). If it is more than MTU, the DNS server will attempt to initiate a TCP format query, which fails.
>
> It is using a DNS server in your range to maximize the bandwidth amplification, so I would suggest looking at the server that is apparently attacking you and asking it to pace replies to you to avoid the attack. Another tactic is to ask bandwidth limit replies to you.
> Both of these IP's are victims, although yours gets the effect of amplification more.
>
> -----Original Message-----
> From: Loki [mailto:loki@fatelabs.com]
> Sent: Mon December 24 2001 14:31
> To: incidents@securityfocus.com
> Subject: NT Compromise -- Update -- SRC PORT: 53 traffic
>
>
> I should mention that the packets were flooding our DNS server, enough
> traffic to saturate and bring down our T1. Please note that again, the
> port 53 was not the DST port, rather, the SRC port of each packet.
>
>
> --
>
>
> ============================================================
> Loki
> Founder, Chief Research Scientist
> Fate Research Labs
> United States VPN Division
> ------------------------------------------------------------
> [w] http://www.fatelabs.com
> [e] loki@fatelabs.com
> [p] +1 412 303 3115
> ------------------------------------------------------------
> "Ipsa Scientia Potestas Est" Knowledge itself is power.
> ============================================================
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: fbi.gov weirdness?
    ... Subject: fbi.gov weirdness? ... I wouldn't be concerned about the name change or DNS shifts (not saying I ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Dcdiag fails on domain member ?
    ... Also listed under DNS shown in the AD management view. ... When it opens the AD UC and AD SS have red crosses, ... Failed can not test for HOST SPN ...
    (microsoft.public.windows.server.networking)
  • Re: DNS & AD
    ... DNS management has become more of an issue over the past couple of years ... Here is a good example of a vendor who has addressed ipam along with the dns ... not saying that the security of DNS in a Microsoft DNS implementation is ... AD-integrated Microsoft DNS for their internal DNS. ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS & AD
    ... that delegation of security management is not very robust in Microsoft DNS. ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS records for CE Devices
    ... Unfortunately, there's no standard interface between DHCP and DNS, so it's ... from your management control system for information on the list of active, ... > Host file so that I can connect via the host name rather than by IP but ...
    (microsoft.public.dotnet.framework.compactframework)