Did the DNS attacks begin?

Sunday

Well, as everyone is busy patching, how far are we? In the Blackhat webcast (downloadable here) from last week, Dan claimed to seen an average of 52% at that time. The Austrian CERT released a study from July 24th in which it stated that more then two thirds of ~~Australian~~ Austrian ISPs had not patched. According this thread on the Belgian forum userbase.be last Friday, 60% of Belgian ISPs were patched (Update Monday 28/07/2008: 80% are patched including the biggest ISPs!). Compared to others, that's quite good. The website security.nl has also started an overview of Dutch ISPs. So we're not there yet.

Yesterday, someone on the Fedora mailinglist stated that the attacks were beginning.

client 143.215.143.11 query (cache) 'com/ANY/IN' denied: 30 Time(s)
client 143.215.143.11 query (cache) 'gmail.com/ANY/IN' denied: 32
Time(s)
client 143.215.143.11 query (cache) 'hotmail.com/ANY/IN' denied: 31
Time(s)
client 143.215.143.11 query (cache) 'net/ANY/IN' denied: 30 Time(s)
client 143.215.143.11 query (cache) 'nosuch.domain/ANY/IN' denied:
30 Time(s)
client 143.215.143.11 query (cache) 'search.live.com/ANY/IN' denied:
30 Time(s)
client 143.215.143.11 query (cache) 'http://www.ebay.com/ANY/IN%27 denied: 31
Time(s)
client 143.215.143.11 query (cache) 'http://www.facebook.com/ANY/IN%27
denied: 30 Time(s)
client 143.215.143.11 query (cache) 'http://www.gmail.com/ANY/IN%27 denied:
30 Time(s)
client 143.215.143.11 query (cache) 'http://www.google.com/ANY/IN%27 denied:
30 Time(s)
client 143.215.143.11 query (cache) 'http://www.live.com/ANY/IN%27 denied: 30
Time(s) (source: gmane.org)

Since I saw noone else mentioning or discussing this, I asked around on my Twitter list. I got an answer from one of the people behind one of the public exploits:

"That's just someone using the server as a cache that's not allowed. Real attacks shows TONS of random hostnames".

He was so kind to provide a sample of logs indicating an attack.

Jul 27 18:42:33 local@ named[19501]: client attacker#35828: query (cache) 'net/NS/IN' denied
Jul 27 18:42:37 local@ named[19501]: client attacker#55105: query (cache) zkdWDBuwLSD46MK1.net/A/IN' denied
Jul 27 18:42:37 local@ named[19501]: client attacker#55105: query (cache) 'zkdWDBuwLSD46MK1.net/A/IN' denied
Jul 27 18:42:37 local@ named[19501]: client attacker#55105: query (cache) zkdWDBuwLSD46MK1.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache) eZ3bMrUqAEBBjNFH.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache) eZ3bMrUqAEBBjNFH.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache) eZ3bMrUqAEBBjNFH.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache) eZ3bMrUqAEBBjNFH.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#42398: query (cache) AyQDrLbwlI9fHEIg.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#42398: query (cache) AyQDrLbwlI9fHEIg.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#42398: query (cache) AyQDrLbwlI9fHEIg.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#42398: query (cache) AyQDrLbwlI9fHEIg.net/A/IN'
denied
Jul 27 18:42:37 local@ named[19501]: client attacker#58573: query (cache) pCfPyIh6y1jqkFS1.net/A/IN' denied

So, that settles it. I can go to sleep peacefully (for now). As Dan Kaminsky said: "Less drama, more patching."

Related posts:

(Photo under Creative Commons from mateus's Photostream)

1 comments:

Christian said...: Just a minor correction. That was Austrian CERT (CERT.at), not AusCERT, which is the Australian CERT.
I haven't seen any good information come from AusCERT talking about the state of play within ISPs here in Australia.; July 28, 2008 2:50 AM