[SOC] FW:RE: [QSL-Net] WebSite Access

[email protected] [email protected]
Mon, 18 Nov 2002 12:41:57 +0100 (MET) 

Hello Zeveribudi,

A bit more info abt QTH/QSL.NET overload, FYI :

<<
From: "Alan L. Waller" <[email protected]>
Subject: RE: [QSL-Net] WebSite Access
Cc: [email protected]

Date: Fri, 15 Nov 2002 12:27:57 -0500

Dick,

It's pretty complex but essentially we were flooded with requests on the 
QTH.NET DNS server for domains we are not authoritative for and the resulting 
bandwidth consumption slowed the lists down to where the queues were filling 
and not flushing so the server loads went sky high and nothing seemed to work. 
Took a while to find it and block the offending systems. I probably do not have 
them all but I have a script that will report them to me for extermination if 
this starts again.

This is what CERT says about the DOS:

Description
We are receiving an increasing number of reports of intruders using nameservers 
to execute packet flooding denial of service attacks.

The most common method we have seen involves an intruder sending a large number 
of UDP-based DNS requests to a nameserver using a spoofed source IP address. 
Any nameserver response is sent back to the spoofed IP address as the 
destination. In this scenario, the spoofed IP address represents the victim of 
the denial of service attack. The nameserver is an intermediate party in the 
attack. The true source of the attack is difficult for an intermediate or a 
victim site to determine due to the use of spoofed source addresses.
Because nameserver responses can be significantly larger than DNS requests, 
there is potential for bandwidth amplification. In other words, the responses 
may consume more bandwidth than the requests. We have seen intruders utilize 
multiple nameservers on diverse networks in this type of an attack to achieve a 
distributed denial of service attack against victim sites.

In incidents we have seen as of the date of publication, the queries are 
usually crafted to request the same valid DNS resource record from multiple 
nameservers. The result is many nameservers receiving queries for resources 
records in zones for which the nameserver is not authoritative.

73, Al
>>

72!
Claude