MESSAGE
| DATE | 2013-03-30 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [NYLXS - HANGOUT] [ruben@mrbrklyn.com: Re: BIND options]
|
Date: Sat, 30 Mar 2013 20:59:39 -0400
From: Ruben Safir
To: Rick Moen
Cc: Ruben Safir
Subject: Re: BIND options
User-Agent: Mutt/1.5.21 (2010-09-15)
On Fri, Mar 29, 2013 at 05:39:37PM -0700, Rick Moen wrote:
> I wrote:
>
> > This is from one of the include files of my BIND configuration.
> > You could put it into /etc/bind/named.conf . (198.144.195.186/29
> > is my public IP netblock.)
>
> About the Spamhaus attacks: They are made possible by one majorly bad
> thing and one minorly bad one.
>
I limited the recussions to my 10.0 block and then noted that have
changed from, "can't find network" to, "not authorized for recussion"
or some such message in the messages log.
I can not get a google IP address from my mrbrklyn named server when
running dig at my panix address, so I hope all is good. for fun, I also
dev null routed a few HK and SK net blocks causing the majority of the
inquiries.
As for the authentication DNS, after thinking it over, i don't even know
why there is a server for that. Seems like a tftp request for a small
text file will do the trick.
What is really bothering me is the need for all simple DNS requests
(which require recursion) need to be locked up. That must put a huge
lode on the base dns servers (the root A servers) and go god forbid the
taliban attacks the WTC and my name server goes out. I'd have no
authorization for recursion anywhere else.
Anyway, that cyberbunker NAZI asshole, Sven Olaf Kamphius, would be a good
canidate for extrajuudicial assassination. The Israeli MOAD should do a
better job next time. Maybe they can persuade his car to decide by
itself to blow itself up inside the Haugue. That would take out two
birds with one stone.
Death to Haman. I don't care if I have to live on the streets, next
year i will be doing this in Jerusalem..
Ruben
BTW - BGP
Peice of cake! I can do that in 10 minutes....just point me to the
wikipedia page..
The diagram for it looks like Gilda Radner made it. Simple, logical, and
simple..
It takes a special class of crazy people to design something like that.
eh
> Majorly bad: ISPs and backbone providers not bothering to do ingress
> filtering at their BGP routers. Explanation: It should not be possible
> to route a forged IP packet across backbones, because router operators
> should reject/drop packets claiming to come from impossible IPs (that
> are not valid arriving on that interface). This isn't brain-surgery
> and is basic quality-control. And yet, apparently some of these guys
> do only egress filtering. Bad! Stupid!
>
> Minorly bad: People operating 'open' recursive DNS resolvers who do not
> need to, and who are not ready/willing/able to do their own ingress
> filtering (which is in practice feasible only to peering ISPs running
> BGP), or at least rate filtering/monitoring.
>
> Minorly bad (variant): SOHO gateways and WAPs with embedded Linux or
> BSD or similar distros often have DNS forwarder software (dproxy or
> Dnsmasq) that is often misconfigured to answer queries arriving on the
> public-facing interface. Those queries are then forwarded to recursive
> DNS resolvers as detailed in the prior paragraph.
>
> The two of those things (major and minor) jointly permit abusing other
> people recursive nameservers as attack reflectors, very efficiently
> because most DNS is done using UDP hence damned near zero overhead and
> no handshake checking.
>
> In fact, it's not only an efficient form of attack but also offers
> amplification via some means I do not yet fully understand where the bad
> guys' 10 bytes of DNS query with a forged source IP generated 1000 bytes
> of return value, or 100x amplification factor.
>
> I'll eventually read more about the technical details of these DDoS
> attacks. Unfortunately, most of what's written on the subject is
> either rubbish or vague.
----- End forwarded message -----
|
|
