Tuesday, February 25, 2014

Authoritative Name Server attack

As of early February I have been observing new weird DNS requests that I think can only be labeled as an Resource Exhaustion Attack against Authoritative Name Servers. An attack strong enough to cripple DNS providers that are hosting thousands and thousands of domains....

Though I am hearing a lot of sounds about it being related to malware but evidence for that has yet to surface.

The first report I read about this was the following post on Spiceworks[1], where some people labeled this as an in -or out going DNS amplification attack. Since then I have heard from DNS admins from all over the world who where seeing similar traffic and rules they wrote to defend themselves against it.

I believe that this attack is also what was troubling some Linux PowerDNS[2] installs.


Amplification Attacks


When an attacker wants to take down a website or host it has different ways to do so. One of which is a Denial of Service (DOS) attack. One common form of attack is a DNS and since recently NTP Reflective Amplification Attacks. These attacks focus on flooding the internet pipe of the victim with useless traffic generated by open DNS/NTP servers on the web.

For these attacks to work an attacker needs -multiple- host with 1gbit uplinks and the ability to spoof source IPs on that AS and a list of good Open DNS/NTP servers.

A good open server is in this case a DNS or NTP server that is capable of sending a much larger response to a small request. For DNS one would search for DNS server supporting EDNS and for NTP servers that support the Monlist command.

The attack

The DNS based attack I have been observing does not require very high quality DNS servers, actually any open resolver will do.

The attackers simply floods the open resolver(s) with non-existent sub-domains for a domain. This will require the resolver to query the DNS hierarchic and contact the authoritative name server for the domain.  One can imagine the effects of hundreds, thousands or even millions of open resolvers contacting the same bunch of authoritative name servers with unique requests multiple times per second.

While writing this blog I observed lots of queries to *.www.0538hj.com. The name servers for this domains are:

;; QUESTION SECTION:
;0538hj.com.                    IN      NS

;; ANSWER SECTION:
0538hj.com.             60345   IN      NS      dns11.hichina.com.
0538hj.com.             60345   IN      NS      dns12.hichina.com.

;; ADDITIONAL SECTION:
dns12.hichina.com.      84272   IN      A       223.5.2.82
dns12.hichina.com.      84272   IN      A       121.196.255.82
dns12.hichina.com.      84272   IN      A       121.196.255.132
dns11.hichina.com.      84272   IN      A       223.5.2.131
dns11.hichina.com.      84272   IN      A       121.196.255.81
dns12.hichina.com.      84272   IN      A       42.96.255.82
dns11.hichina.com.      84272   IN      A       42.96.255.81
dns12.hichina.com.      84272   IN      A       42.96.255.132
dns11.hichina.com.      84272   IN      A       223.5.2.81
dns11.hichina.com.      84272   IN      A       42.96.255.131
dns11.hichina.com.      84272   IN      A       121.196.255.131
dns12.hichina.com.      84272   IN      A       223.5.2.132

While this attack was ongoing it was very difficult to get a response from one of these servers. Goes to show how effective the attack is.

dig a 0538hj.com @dns11.hichina.com
;; global options: +cmd
;; connection timed out; no servers could be reached

About 1 out of 8 queries seemed to get an answer.
The query rate was about 2 - 8 queries per second.

First!


My logs suggest I first started seeing these attacks on Febuary the 3th with domain: abpdesthvwxyz.gb41.com.
The following graph shows the amount of unique domain names this resolver has been seeing each day in February.


Normally this would only be about 10 a day as this server is not used in any legitimate way but participates only in DNS amp and receives some DNS scans. On days I have been seeing these attacks I have seen spikes as high as 16.000 unique domains.


Domains the method - Name Servers the targets


Over time I have seen a multitude of domains. Here are some of the bigger attacks I have seen. The count represent the amount of sub-domains I observed that day. As each sub domain is only requested once this is equal to the amount of IPs and requests.

Count     Date             Domain
 103294 2014-02-11 .jn176.com
  74525 2014-02-22 .sf123.com
  69164 2014-02-13 .iidns.com
  60176 2014-02-23 .sf123.com
  49855 2014-02-21 .sf123.com
  46308 2014-02-14 .567uu.com
  46023 2014-02-11 .hcq99.com
  41051 2014-02-22 .51pop.net
  31899 2014-02-12 .gx911.com
  30139 2014-02-11 .gx911.com
  29984 2014-02-12 .999qp.net
  28956 2014-02-19 .jd176.com
  27736 2014-02-18 .269sf.com
  27006 2014-02-10 .yinquanxuan.com
  25780 2014-02-14 .iidns.com
  25576 2014-02-15 .567uu.com
  25417 2014-02-05 .139hg.com
  22184 2014-02-23 .52ssff.com
  20424 2014-02-15 .liehoo.net
  19609 2014-02-11 .sf717.com
  19525 2014-02-18 .chinahjfu.com
  19452 2014-02-14 .369df.com
  18496 2014-02-05 .hqsy120.com
  18086 2014-02-18 .5kkx.com
  17932 2014-02-23 .51pop.net
  17257 2014-02-14 .love303.com
  16617 2014-02-15 .cxmyy.com
  16614 2014-02-15 .cc176.com
  16380 2014-02-11 .999qp.net
  16244 2014-02-15 .jdgaj.com
  15977 2014-02-19 .bdhope.com
  15316 2014-02-12 .hcq99.com
  14808 2014-02-19 .seluoluo3.com
  14675 2014-02-14 .422ko.com
  14086 2014-02-19 .250hj.com
  13900 2014-02-22 .5ipop.net
  13477 2014-02-14 .lcjba.com
  13415 2014-02-04 .wb123.com
  13315 2014-02-23 .luse7.com
  13079 2014-02-23 .luse8.com


Name servers:


The above domains use the following name servers and we can assume that during these attacks these name servers where very difficult to reach. 

      4 iidns.com.
      3 hichina.com.
      3 dnsabc-b.com.
      2 dnsabc-g.com.
      3 gfdns.net.
      1 zndns.com.
      1 51dns.com.
      1 360wzb.com.
      1.gfdns.net.
      1 51dns.com.
      1 domaincontrol.com.
      1 dnspod.com.

Most of these name servers belong to Chinese registrars. Some of these registrars are responsible for up to half a million domains.

Spoofed or not?


Each DNS query is received from a different IP-address. This suggest spoofing but not in the way it is used with reflective amplification attacks, to specify the target. Here it seems to be used to cloak the origin of these queries from the resolvers.

I keep track of a few values for each query that comes in. Among others its Time To Live (TTL), a value that is not often spoofed.

Count     TTL
   1074    234
   2226    235
  19106   236
  53624   237
  54193   238
 107010  239
 197934  240
 234902  241
 226965  242
 322752  243
 308978  244
 239031  245
 185288  246
 158441  247
  62255   248
  23045   249

16 different TTLs not bad. Suggests it is from all over the globe. Until I noticed the following request for a domain matching this regex:

[a-z]\.www.luse[0-9]\.com\.

Two queries occurred within the same hours but its TTL was off by a lot:

ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.luse0.com ; count=1 ; qtype=A ; ttl=234
ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.luse6.com ; count=1 ; qtype=A ; ttl=247

13 hops difference, that could be the difference between a request from Europe or the US a change like that doesn't add up. I call that evidence of spoofing.


Detection


For me it is pretty easy to detect these attacks now that I know what to look for. But I am fortunate enough to have very little legit traffic so this malicious traffic stands out nicely. When running a (very) large resolver for a network it will be more difficult to spot, let alone block.

Characteristics
So far I have only seen queries for:

- All queries are for A records
- No OPT resource record in query
- One label is randomized
-The random sub-domain contains only chars a-z
- Random sub-domain label length is between: 1 <> 16

Remedy 

Automatically flagging of these domains might result in false positive. So until a characteristic is found that can be used to isolate this traffic more specifically it will be mainly manual labor to maintain blacklists.

One way of dropping this traffic would be by using the IPtables strings module:

iptables --insert INPUT -p udp --dport 53 -m string --from 34 --to 80 --algo bm --hex-string '|056c7573653003636f6d00|' -j DROP -m comment --comment "DROP DNS Q luse0.com"


An employee of Secure64 pointed me to their blog about the subject:

https://blog.secure64.com/?p=377

References:

[1] - http://community.spiceworks.com/topic/441721-what-does-a-dns-amplification-ddos-attack-look-like
[2] - http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/

Monday, February 10, 2014

Domain: sheshows.com

Domain: sheshows.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08534845 && 0x2c&0xDFDFDFDF=0x53484f57 && 0x30&0xDFFFDFDF=0x5303434f && 0x34&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q sheshows.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|0873686573686f777303636f6d00|' -j DROP -m comment --comment "DROP DNS Q sheshows.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


40.187.114.250

Name server:


;; ANSWER SECTION:
sheshows.com. 598 IN NS safe.qycn.cn.
sheshows.com. 598 IN NS safe.qycn.com.
sheshows.com. 598 IN NS safe.qycn.org.
sheshows.com. 598 IN NS safe.qycn.net.


Response:


A 1
Rsize 46


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SHESHOWS.COM
Registrar: THREADTRADE.COM, INC
Whois Server: whois.yourjungle.com
Referral URL: http://secure.bellnames.com
Name Server: SAFE.QYCN.CN
Name Server: SAFE.QYCN.COM
Status: ok
Updated Date: 10-feb-2014
Creation Date: 29-dec-2013
Expiration Date: 29-dec-2014

>>> Last update of whois database: Tue, 11 Feb 2014 00:12:17 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Domain Name: SHESHOWS.COM

Registrant:
registrant_org:
registrant_name: lirong shi
registrant_email: gl@beianX.com
registrant_address: beijing
registrant_city: beijing
registrant_state: beijing
registrant_zip: 100100
registrant_country: CN
registrant_phone:

Administrative Contact:
admin_org:
admin_name: lirong shi
admin_email: gl@beianX.com
admin_address: beijing
admin_city: beijing
admin_state: beijing
admin_zip: 100100
admin_country: CN
admin_phone:

Technical Contact:
tech_org:
tech_name: lirong shi
tech_email: gl@beianX.com
tech_address: beijing
tech_city: beijing
tech_state: beijing
tech_zip: 100100
tech_country: CN
tech_phone:

Billing Contact:
bill_org:
bill_name: lirong shi
bill_email: gl@beianX.com
bill_address: beijing
bill_city: beijing
bill_state: beijing
bill_zip: 100100
bill_country: CN
bill_phone:

Creation Date: 2013-12-29
Expiration Date: 2014-12-29
Name Servers:
SAFE.QYCN.CN
SAFE.QYCN.COM






Domain: dqwd.ru

Domain: dqwd.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04445157 && 0x2c&0xDFFFDFDF=0x44025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q dqwd.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|046471776402727500|' -j DROP -m comment --comment "DROP DNS Q dqwd.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


93.174.95.57

Name server:


;; ANSWER SECTION:
dqwd.ru. 21599 IN NS ns1.reg.ru.
dqwd.ru. 21599 IN NS ns2.reg.ru.


Response:


A 241
NS 2
SOA 1
Rsize 3952


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: DQWD.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.01.31
paid-till: 2015.01.31
free-date: 2015.03.03
source: TCI

Last updated on 2014.02.11 03:56:58 MSK




Domain: fkfkfkfr.com

Domain: fkfkfkfr.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08464b46 && 0x2c&0xDFDFDFDF=0x4b464b46 && 0x30&0xDFFFDFDF=0x5203434f && 0x34&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q fkfkfkfr.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|08666b666b666b667203636f6d00|' -j DROP -m comment --comment "DROP DNS Q fkfkfkfr.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
fkfkfkfr.com. 21599 IN NS ns6.fkfkfkfr.com.
fkfkfkfr.com. 21599 IN NS ns5.fkfkfkfr.com.


Response:


A 243
NS 2
SOA 1
Rsize 3974


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: FKFKFKFR.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Name Server: NS5.FKFKFKFR.COM
Name Server: NS6.FKFKFKFR.COM
Status: clientTransferProhibited
Updated Date: 29-jan-2014
Creation Date: 28-jan-2014
Expiration Date: 28-jan-2015

>>> Last update of whois database: Mon, 10 Feb 2014 23:56:52 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Domain Name: FKFKFKFR.COM
Registry Domain ID:
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://www.networksolutions.com/en_US/
Updated Date: 2014-01-28T00:00:00Z
Creation Date: 2014-01-28T00:00:00Z
Registrar Registration Expiration Date: 2015-01-28T00:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: 800-333-7680
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Rattani, Altaf
Registrant Organization:
Registrant Street: ATTN insert domain name here care of Network Solutions PO Box 459
Registrant City: Drums
Registrant State/Province: PA
Registrant Postal Code: 18222
Registrant Country: US
Registrant Phone: 570-708-8780
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: Rattani, Altaf
Admin Organization: null
Admin Street: ATTN insert domain name here care of Network Solutions PO Box 459
Admin City: Drums
Admin State/Province: PA
Admin Postal Code: 18222
Admin Country: US
Admin Phone: 570-708-8780
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: my3cx65984r@networksolutionsprivateregistration.com
Registry Tech ID:
Tech Name: Rattani, Altaf
Tech Organization: null
Tech Street: ATTN insert domain name here care of Network Solutions PO Box 459
Tech City: Drums
Tech State/Province: PA
Tech Postal Code: 18222
Tech Country: US
Tech Phone: 570-708-8780
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: my3cx65984r@networksolutionsprivateregistration.com
Name Server: NS5.FKFKFKFR.COM
Name Server: NS6.FKFKFKFR.COM
DNSSEC: not signed
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of whois database: Mon, 10 Feb 2014 23:56:52 UTC <<<

This listing is a Network Solutions Private Registration. Mail
correspondence to this address must be sent via USPS Express Mail(TM) or
USPS Certified Mail(R); all other mail will not be processed. Be sure to
include the registrant's domain name in the address.

The data in Networksolutions.com's WHOIS database is provided to you by
Networksolutions.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Networksolutions.com makes this information available "as is," and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Networksolutions.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Networksolutions.com.
Networksolutions.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.




Domain: gerdar3.ru

Domain: gerdar3.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07474552 && 0x2c&0xDFDFDFFF=0x44415233 && 0x30&0xFFDFDFFF=0x02525500" -j DROP -m comment --comment "DROP DNS Q gerdar3.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|076765726461723302727500|' -j DROP -m comment --comment "DROP DNS Q gerdar3.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


54.230.84.31

Name server:


;; ANSWER SECTION:
gerdar3.ru. 599 IN NS ns1.spaceweb.ru.
gerdar3.ru. 599 IN NS ns2.spaceweb.ru.


Response:


A 13
MX 28
NS 2
SOA 1
TXT 11
Rsize 4006


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: GERDAR3.RU
nserver: ns1.spaceweb.ru.
nserver: ns2.spaceweb.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: R01-REG-RIPN
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2014.02.08
paid-till: 2015.02.08
free-date: 2015.03.11
source: TCI

Last updated on 2014.02.11 03:51:37 MSK