Slashdot Mirror
BlueSecurity Fall-Out Reveals Larger Problem
mdrebelx writes "For anyone following the BlueSecurity story, sadly the anti-spam crusader has raised the white flag. Brian Krebs with the Washington Post is reporting that after BlueSecurity's announcement, Prolexic and UltraDNS, which were both linked with BlueSecurity through business relations came under a DNS amplification attack that brought down thousands of sites.
While much of the focus about the BlueSecurity story has been centered on the question of what can be done about spam, I think a bigger question has been raised - is the Internet really that fragile? What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist clearly have the upper hand."
BIND when used correctly can foil/hamper these DNS attacks from occuring.
//add your trusted networks
//protect your nameserver version
//and for your zones just add allow-query any //allow legitimate nameservers to get host info
Any tool improperly used can possibly cause problems.
This a proper way to secure a Bind nameserver.
An example would be in your bind named.conf adding an acl section and adding to section options.
acl "trusted_queries" { 127.0.0.1; 192.168.1.0/24; some.ip.network.outthere/8; };
acl "trusted_recursion" { 127.0.0.1; 192.168.1.0/24; some.ip.network.outthere/8; };
options {
allow-query ( "trusted_queries" };
allow-recursion { "trusted_recursion" };
version "no version";
};
zone "some.zone.com" IN {
type master;
file "pri/some.zone.com.zone";
allow-query { any; };
};
I work for an unnamed backbone provider, and have currently been involved in blocking said DNS Amplification attack.. to give you a general idea of the size of the attack and the number of zombies involved.. When I left work... The attack was 14,768% of 9.8MBps... or.. over 13GBit/sec... Our infrastructure is holding up just fine, however.. Personally, I'd like to find the 'owner' of these zombies, and castrate him. I guess the guy doesn't have anything better to do with his life than trash the net...
Accorging to this the blue frog model will be open sourced as a peer-to-peer model available through sourceforge.net.
Sadly the internet is already compromised since the bot networks are already too large for most organisations to take on.
I hope someone does something to deal with the botnet threats. Being able to suck multiple gigabits of bandwidth means 'they' can kill any small to medium sized internet operation if they want to via a range of attacks from the simple to the rather sophisticated.
Tier1 ISPs usually don't care other than possibly to try and filter all your traffic to prevent their other customers from suffering.
Some medium/larger sized companies use services like Akamai siteshield that are capable of sustaining a reasonable DDOS-ing but the botnet operators will eventually realise that the attacks are not just about knocking a site offline. Akamai will charge you for that traffic which will send the companies bankrupt anyway (and possibly quicker than going offline). In fact i was wondering how on earth bluesecurity were going to pay their bandwidth bill.
The defences we have against such attacks are pathetic. I was amused in an episode of 24 when they came under an online attack from terrorists and their new "CISCO FIREWALL" protects them, i mean seriously the firewalls are the least of your problems these days. If you come under attack from one of these serious russian dudes - you'd be looking at trying to filter the traffic well before it reaches the firewalls since your line and network would be saturated.
Doesn't being a terrorist imply terrorizing people?
Traditionally yes, this might be "economic terrorism"(tm) according to the Dept. of Defense terroism is "the unlawful use of -- or threatened use of -- force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives." This would seem to apply here.
We are all just people.