<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Dear All<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Just thought I’d share some interesting<span style='color:black'>,</span> potentially frightful information with reference to DNS amplification request attacks we have observed.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We are now seeing 100’s of targeted IP addresses within the same network AS targeted by 1000’s of IP addresses (all of which are spoofed UDP packets)<span style='color:black'> a network administrators nightmare.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Normally we see a DDoS attacks against specific /32 IP address although it would appear the tables are turning to have a more distributed attack towards the targeted network which hosts the /32 service which is being attacked<span style='color:black'>.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What we have noticed however is all the attack traffic regardless of the source, distention, targeted URL or query has a common pattern matching signature of \50\fa\00\08\00\01\20 common to every packet generated from this substantial botnet which is frequently published on this amplification attack webpage. <a href="http://dnsamplificationattacks.blogspot.com.au/">http://dnsamplificationattacks.blogspot.com.au/</a> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This pattern is common both if you’re receiving the attack or if your network is participating in the attack, so as long as you can filter each packet based on an exact hex format you have a chance on mitigating the attack traffic.<span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>What’s also interesting is whilst open DNS resolvers used to be the common source of DNS amplification older versions of bind are also susceptible to participate in an attack even if open resolving is turned off when a request comes through, as BIND prior to version 9.5 allows root hint servers to be returned even when a REFUSED response is sent. You can disable this by adding `additional_from_cache no;` into BIND's configuration, which has stopped sending root hint servers along with REFUSED status.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Hope this information is useful, happy to discuss in more detail if you’re interested !<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Kindest Regards<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-family:"Verdana","sans-serif";color:black'>James Braunegg<br></span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>P:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>E:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> </span><span style='color:black'><a href="mailto:james.braunegg@micron21.com"><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>james.braunegg@micron21.com</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> | <b>ABN:</b> 12 109 977 666 <br><b>W:</b> <a href="http://www.micron21.com/ip-transit"><span style='color:black'>www.micron21.com/ip-transit</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> </span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> <b>T:</b> @micron21<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><br><img border=0 width=250 height=39 id="Picture_x0020_1" src="cid:image001.jpg@01CEC9A7.A9BE1050" alt="Description: Description: Description: Description: M21.jpg"><br></span><span lang=EN-AU style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>