Arbor Networks: Security to the Core

During the ISP Security BOF at NANOG 40 last week in Bellevue, Washington, John Kristoff of Neustar Ultra Services provided a nice summary of what actually occurred during the February 6/7, 2007 DNS attacks.

He began by providing a summary of the considerable amount of mis-information provided about the attacks, with his personal favorite being an article titled UltraDNS attack targeted G and L root servers (1st Update). I suppose I can see how such a title might prove a bit misleading. From there, John noted some of the more useful information provided at the time, and in particular that from a lightning talk at NANOG 39 by Dave Knight at the tail end of the attacks.

John provided that the actual targets of this attack were:

• F-Root, G-Root, L-Root and M-Root
• A9.INFO.AFILIAS-NST.info
• B9.INFO.AFILIAS-NST.ORG
• C9.INFO-AFILIAS-NST.info
• And another set most folks haven’t heard of, ns[2-5].opihhkj.com
• and pehaps ns1.opihhkj.com, but not certain

He went on to cite more mis-information provided by the media and emphasized how difficult it was to find an accurate story. He provided a pointer to the ICANN fact sheet about the attacks, released about a month later, and noted that the fact sheet was mostly OK, although the who, when and packet level details were imprecise.

Some of the unique information that John shared about the attacks included details on the botnet involved (these were the numbers and distribution of the bots themselves, firepower from each varied):

• ~4500-5000 bots on Microsoft Windows Boxes
• ~65% from South Korea
• ~19% from United States
• ~3.5% from Canada
• ~2.5% from China
• The rest from various places

The botnet controller was HTTP-based, physically located in Dallas, TX, USA, and was located by the bots via DNS, with a backup DNS name as well. The botnet itself was associated with a Russian-affiliated reseller and has continued to be used for DDoS attacks up until 2007-05-23.

The attacks consisted of:

• bots performed one DNS query per victim
• bots setup three “threads” per victim
• unique but stable source port per thread
• each thread employed it’s own 1023-octet payload “seed”
• UDP packets were then flooded to each victim on port 53
• source address was NOT spoofed
• each UDP packet of random 0-1023 seed payload
• each thread was set to last 24 hours

As for mitigation, because non-spoofed some source-based mitigation/filtering could be employed but difficult. If capability exists, something like this could have been done:

• ‘dst port 53 and udp[10:2] > 0 and udp[12:2] != 1 and udp[14:2] > 0′
• 10:2 dns flags
• 12:2 qdcount
• 14:2 ancount

Other mitigation techniques included packet size filter > 300-512 octets (which wouldn’t have stopped everything and possibly even dropped some legitimate packets, but did help quell the storm a bit) or forced TCP switched-over solutions.

While John wasn’t really able to find much regarding the motivation of the attackers, he suspects a test of strength or some similar demonstration of sorts. He also mentioned that many of the other targets hit by the botnet were of “Russian origin”.

Some of his takeaways included:

• observation that folks seem to pay more attention to attacks when they target the root servers, even though it’s one of the most resilient services infrastructures on the Internet
• anycasting DNS infrastructure helps (and therefore you should peer with your DNS providers)
• F-Root data available through OARC was invaluable
• so-called ‘experts’ rarely are
• a well-formed attack could have made things worse
• these attacks weren’t really that bad

I’m glad John’s shared some of these details, I hope the information provided here helps folks when they’re looking for actual experts next go round..

This entry was posted on Saturday, June 9th, 2007 at 4:28 pm and is filed under Arbor Networks, Botnets, Critical Infrastructure, Interesting Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.