[u-u] DNS Reflection Amplification Attack Mitigation

Hugh Gamble hugh at phaedrav.com
Wed Dec 10 16:31:03 EST 2014 

There are 'proper' mitigation rules
for public DNS servers that do recur and forward.
The standard botnets send (small) requests from infected computers/phones
etc.
requesting the largest common records to the spoofed address.
You can tcpdump hex codes for the rules.

I'm just doing iptables DROP on the spoofed remote target IP
which does change day to day (and I add/change rules).
There may be several spoofed addresses concurrently,
typically for the same host or facility.

I don't see how the controller would easily notice that.
It may be that someone upstream also started mitigation,
and the timing of cessations with my changes is coincidental. 

> -----Original Message-----
> From: klodefactor at gmail.com [mailto:klodefactor at gmail.com]
> Sent: December-10-14 10:29 AM
> To: Hugh Gamble; u-u at unixunanimous.org
> Subject: Re: [u-u] DNS Reflection Amplification Attack Mitigation
> 
> Just thinking out loud here...
> 
> You were dropping their packets on the floor? Any chance you were replying
> with an ICMP unreachable message?  I just don't want to ignore an obvious
> case.
> 
> If only dropping, the attacker could implement a rudimentary heartbeat by
> changing the target IP now and then, to a system of their own.
> 
> It's a bit cumbersome, and it risks early exposure of part of their C&C
systems
> and communication; the heartbeat receiver ("stethoscope"?) would be easy
to
> find.  But this heartbeat has the advantage of being able to change the
detector
> easily: just change the target IP for the heartbeat.
> 
> As for risks to C&C, I imagine a botnet would be handy :-).
> 
> Assuming it's not just a coincidence...
> 
> Claude
> -----Original Message-----
> From: "Hugh Gamble" <hugh at phaedrav.com>
> Sender: u-u-bounces at unixunanimous.orgDate: Tue, 9 Dec 2014 14:54:43
> To: <u-u at unixunanimous.org>
> Subject: [u-u] DNS Reflection Amplification Attack Mitigation
> 
> _______________________________________________
> u-u mailing list
> u-u at unixunanimous.org
> https://unixunanimous.org/mailman/listinfo/u-u
> 
> 
> 
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2015.0.5577 / Virus Database: 4235/8710 - Release Date: 12/10/14
> 
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2015.0.5577 / Virus Database: 4235/8701 - Release Date: 12/08/14

More information about the u-u mailing list