[olug] DoDNS extortion

Daniel Linder dan at linder.org
Wed Sep 8 14:12:09 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<quote who="Eric Penne">
> A friend of mine just had her company attacked by a Denial of DNS
> (DoDNS).  Apparently the attackers emailed the bosses demanding $10,000
> or they would launch this DoDNS for the next month.  If they paid the
> money they would "protect" them for a year.  Is this straight out of the
> movies?
>
> Has anybody else had this issue?

Not directly, but I have heard of it before.  A guy in California (?)
tried to hire some HighSchool/College kids to get their friends to DOS a
competetors web site at critical times.  Sadly it takes all types of
people in this world... :(

> What are the best ways or other ways to protect yourself against this
> type of attack?
> Multiple DNS servers on different connections is one thing I was
> thinking of.  Manually blacklisting the IP addresses at the route seems
> like a slow and painful way of doing this.

It's always a good idea to have multiple DNS servers, and better if you
can get them hosted behind different networks/firewalls/subnets.  I'm kind
of suprised that Akamai (big distributed content provider) hasn't offerend
their distributed network as a DNS service..

If they have only one DNS he should be able to contact the hosting
provider and have them implement some anti-DOS filtering at their links to
the Internet.  It's better to have them do the filtering to keep the
traffic as far away from the end point of use as possible.

If they control their own DNS and it happes to run Linux (or an IPTables
compatible OS such as *BSD, etc) they could put in a rate-limiting rule on
the DNS entries so that each source IP address is only allowed X DNS
requests per minute.  I would think that a limt of 5/minute for any one
source should be plenty.

Since most script-kiddie DOS clients are written to be able to spoof the
source IP address, the above rate limiting won't help much.  At this point
he will have to enlist the assistance of his ISP and the ISPs upstream
providers.  Since the source IP address is spoofed, they would have to
setup some sort of monitoring on their equipment to watch for large
numbers of DNS request packets going to their DNS server and see what port
those packets came in on.  By going from router-to-router, hopefully they
can track their way back to the ISPs hosting these clients and request
that they implement an "egress filter" to drop bogus source IP addresses.
(note 1)

> I assume this is a crime that probably should be reported to the FBI
> because it almost certainly crosses state lines.  Any thoughts?

Please do report them -- it's the only real way to get them to stop once
and for all.

Dan

Note 1: I use to work for an ISP here in Omaha and I implemented this by
default.  It only took a few seconds to setup the ACL on the border
routers (Cisco) and I was amazed at the number of bogus packets that were
trying to go out due to accidentally enabled DHCP clients auto configuring
their own IP address, or a customer firewall leaking 10.X.X.X addresses!
:O  And don't let an ISP tell you that egress filtering is too much of a
load on their router.  A Cisco router has to look at the TCP/IP headers
each time it routes a packet so the addition of having it check the source
and drop is negligable.

- - - - -
"I do not fear computer,
I fear the lack of them."
 -- Isaac Asimov

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBPxM5NiBNyqUzGb8RAlruAJ9kXxUOCAY+QFftmNBnBjktGpbHEgCgi4wn
XjjHN8gartyueFMpAnXUI0E=
=ah5N
-----END PGP SIGNATURE-----



More information about the OLUG mailing list