[45175] in North American Network Operators' Group
RE: DNS DOS increasing?
daemon@ATHENA.MIT.EDU (Karyn Ulriksen)
Mon Jan 21 11:48:03 2002
From: "Karyn Ulriksen" <valkaryn@valkaryn.net>
To: "LIST, NANOG" <nanog@merit.edu>
Date: Mon, 21 Jan 2002 08:40:05 -0800
Message-ID: <FGEAKNILLHDBMHGPKBEFKEMJCJAA.valkaryn@valkaryn.net>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C1A257.39A873C0"
In-Reply-To: <FGEAKNILLHDBMHGPKBEFGEMJCJAA.valkaryn@valkaryn.net>
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C1A257.39A873C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
RE: DNS DOS increasing?I've seen this behavior before, also. I thought it
was interesting that two servers side by side recieving the same
attacks/ratios only serving DNS (BIND 8.2.x*) and acted in this manner:
Redhat 6.2 w/dual proc 833 512/ram started "loosing" RR records
Solaris 7 on a Sparc 10 (hehe) w/256 rebooted and served the
correct records
I'm curious to see how other OSes react to these attacks. My guess is that
BSD systems (such as FreeBSD and BSDi) will react similarly to the Solaris
based on my past experience with these systems. So I am curious too see if
the RR record "loss" is an OS specific behaviour, especially since Redhat
has priors in misplacing information in earlier versions of the OS.
* I say BIND 8.2.x, because this continued to occur through the various BIND
8.2 releases.
Best regards,
Karyn Ulriksen
Valkaryn Internet Group
URL: http://www.valkaryn.net
email: valkaryn@valkaryn.net
===========================================
"Decisions should be made in the space of seven breaths."
-----Original Message-----
From: Karyn Ulriksen [mailto:valkaryn@valkaryn.net]
Sent: Monday, January 21, 2002 8:39 AM
To: James Smith
Subject: RE: DNS DOS increasing?
I've seen this behavior before, also. I thought it was interesting that
two servers side by side recieving the same attacks/ratios only serving DNS
(BIND 8.2.x*) and acted in this manner:
Redhat 6.2 w/dual proc 833 512/ram started "loosing" RR records
Solaris 7 on a Sparc 10 (hehe) w/256 rebooted and served the
correct records
I'm curious to see how other OSes react to these attacks. My guess is
that BSD systems (such as FreeBSD and BSDi) will react similarly to the
Solaris based on my past experience with these systems. So I am curious too
see if the RR record "loss" is an OS specific behaviour, especially since
Redhat has priors in misplacing information in earlier versions of the OS.
* I say BIND 8.2.x, because this continued to occur through the various
BIND 8.2 releases.
Best regards,
Karyn Ulriksen
Valkaryn Internet Group
URL: http://www.valkaryn.net
email: valkaryn@valkaryn.net
===========================================
"Decisions should be made in the space of seven breaths."
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
James Smith
Sent: Monday, January 21, 2002 7:08 AM
To: nanog@merit.edu
Subject: RE: DNS DOS increasing?
I've seen DOS-type behavior where a client will query a resolver for a
name that doesn't exist, and the client does not accept the answer that
the name does not exist and immediately sends another query, regardless
of whether or not the resolver declared itself authoritative for the
negative answer.
--
/ak
Get ready for more DOS-like behavior as systems get deployed that have
10 second TTLs in the DNS. These systems are used to provide multi-isp
redundancy by pinging each upstreams router, and when a ping fails, start
giving out a dns response using the other ISP IP range. Same FQDN, new IP.
This of course is driven by the desire for redundancy in small
businesses who make the Internet an integral part of their business plan.
Either they can't get PI space and don't have (or don't want to spend) the
$$$ to do BGP, or are unable to convince their upstream to cut a hole in
their CIDR block and allow a 2nd party to announce that chunk (which for
some is as small as /28).
James H. Smith II NNCDS NNCSE
Systems Engineer
The Presidio Corporation
------=_NextPart_000_0006_01C1A257.39A873C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: DNS DOS increasing?</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4912.300" name=3DGENERATOR></HEAD>
<BODY>
<DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2>I've=20
seen this behavior before, also. I thought it was interesting that =
two=20
servers side by side recieving the same attacks/ratios only serving =
DNS=20
(BIND 8.2.x*) and acted in =
this manner:</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2> Redhat 6.2 w/dual =
proc 833=20
512/ram started "loosing" RR =
records</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2> Solaris 7 on a Sparc =
10 (hehe)=20
w/256 rebooted and served the correct=20
records</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2>I'm=20
curious to see how other OSes react to these attacks. My guess is =
that BSD=20
systems (such as FreeBSD and BSDi) will react similarly to the Solaris =
based on=20
my past experience with these systems. So I am curious too see if =
the RR=20
record "loss" is an OS specific behaviour, especially since Redhat has =
priors in=20
misplacing information in earlier versions of the =
OS.</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2>* I=20
say BIND 8.2.x, because this continued to occur through the various BIND =
8.2=20
releases.</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002>
<P><FONT size=3D2>Best regards,<BR><BR>Karyn Ulriksen<BR>Valkaryn =
Internet=20
Group<BR>URL: <A target=3D_blank=20
href=3D"http://www.valkaryn.net/">http://www.valkaryn.net</A><BR>email:&n=
bsp;=20
valkaryn@valkaryn.net<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D<BR>"Decisions=20
should be made in the space of seven =
breaths."<BR></FONT></P></SPAN></DIV></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Karyn Ulriksen=20
[mailto:valkaryn@valkaryn.net]<BR><B>Sent:</B> Monday, January 21, =
2002 8:39=20
AM<BR><B>To:</B> James Smith<BR><B>Subject:</B> RE: DNS DOS=20
increasing?<BR><BR></FONT></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff size=3D2>I've=20
seen this behavior before, also. I thought it was interesting =
that two=20
servers side by side recieving the same attacks/ratios only =
serving DNS=20
(BIND 8.2.x*) and acted in=20
this manner:</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff=20
size=3D2> Redhat 6.2 w/dual =
proc 833=20
512/ram started "loosing" RR =
records</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff=20
size=3D2> Solaris 7 on a =
Sparc 10=20
(hehe) w/256 rebooted and served the correct=20
records</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff size=3D2>I'm=20
curious to see how other OSes react to these attacks. My guess =
is that=20
BSD systems (such as FreeBSD and BSDi) will react similarly to the =
Solaris=20
based on my past experience with these systems. So I am curious =
too see=20
if the RR record "loss" is an OS specific behaviour, especially since =
Redhat=20
has priors in misplacing information in earlier versions of the=20
OS.</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff size=3D2>* I=20
say BIND 8.2.x, because this continued to occur through the various =
BIND 8.2=20
releases.</FONT></SPAN></DIV>
<DIV><SPAN class=3D837332716-21012002><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D837332716-21012002>
<P><FONT size=3D2>Best regards,<BR><BR>Karyn Ulriksen<BR>Valkaryn =
Internet=20
Group<BR>URL: <A target=3D_blank=20
=
href=3D"http://www.valkaryn.net/">http://www.valkaryn.net</A><BR>email:&n=
bsp;=20
=
valkaryn@valkaryn.net<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D<BR>"Decisions=20
should be made in the space of seven =
breaths."<BR></FONT></P></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> =
owner-nanog@merit.edu=20
[mailto:owner-nanog@merit.edu]<B>On Behalf Of </B>James=20
Smith<BR><B>Sent:</B> Monday, January 21, 2002 7:08 AM<BR><B>To:</B> =
nanog@merit.edu<BR><B>Subject:</B> RE: DNS DOS=20
increasing?<BR><BR></FONT></DIV>
<P><FONT size=3D2> I've seen DOS-type behavior where a client =
will query=20
a resolver for a</FONT> <BR><FONT size=3D2> name that doesn't =
exist, and=20
the client does not accept the answer that</FONT> <BR><FONT =
size=3D2> the=20
name does not exist and immediately sends another query, =
regardless</FONT>=20
<BR><FONT size=3D2> of whether or not the resolver declared =
itself=20
authoritative for the</FONT> <BR><FONT size=3D2> negative =
answer.</FONT>=20
</P>
<P><FONT size=3D2>-- </FONT><BR><FONT size=3D2>/ak</FONT> </P>
<P><FONT size=3D2> Get ready for more DOS-like behavior as =
systems get=20
deployed that have 10 second TTLs in the DNS. These systems are used =
to=20
provide multi-isp redundancy by pinging each upstreams router, and =
when a=20
ping fails, start giving out a dns response using the other ISP IP =
range.=20
Same FQDN, new IP.</FONT></P>
<P><FONT size=3D2> This of course is driven by the desire for =
redundancy=20
in small businesses who make the Internet an integral part of their =
business=20
plan. Either they can't get PI space and don't have (or don't want =
to spend)=20
the $$$ to do BGP, or are unable to convince their upstream to cut a =
hole in=20
their CIDR block and allow a 2nd party to announce that chunk (which =
for=20
some is as small as /28).</FONT></P>
<P><FONT size=3D2>James H. Smith II NNCDS NNCSE</FONT> =
<BR><FONT=20
size=3D2>Systems Engineer</FONT> <BR><FONT size=3D2>The Presidio=20
Corporation</FONT> </P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0006_01C1A257.39A873C0--
