[AusNOG] census issues tonight
James Braunegg
james.braunegg at micron21.com
Thu Aug 11 21:51:31 EST 2016
They have also done what they should have done in the first place…
Basically black hole the entire /24 route (via specific /32 and /25 routes) from international access … other than within Australian, rather than just black holing the first 20 IP addresses within 150.207.169.0/24 as originally done on Census night.
Guess they are learning the lesson the hard way.… I could have given them that advice for free before the event…
Kindest Regards
James Braunegg
P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg at micron21.com<mailto:james.braunegg at micron21.com> | ABN: 12 109 977 666
W: www.micron21.com/ddos-protection<http://www.micron21.com/ddos-protection> T: @micron21
Follow us on Twitter<http://www.twitter.com/micron21> for important service and system updates.
[M21.jpg]
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of johnstsquare at tpg.com.au
Sent: Thursday, 11 August 2016 9:40 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] census issues tonight
+1
The same with 8.8.4.4 and OpenDNS public resolvers
ABS is using geo-blocking with layer-3 IP ACL on the routers upstream from their DNS servers. VPN users terminating outside of Australia (yay HBO Go and Amazon video), or employees of MNCs with resolvers outside of Australia.
Because it was a layer-3 block, they just dropped the traffic and the user’s resolver would keep sending DNS queries. As a result, there were numerous resolvers sending a flood of requests to census.abs.gov.au<http://census.abs.gov.au/> DNS servers which looked like a small amplification attack.
Additionally they have taken the wrong move of increasing TTL's to try to reduce load on their DNS. This makes it hard to move to a cloud DDOS provider as the dns will take 24hrs to propagate. 14400 seconds.
www.census.abs.gov.au<http://www.census.abs.gov.au>. 14400 IN A 150.207.169.5
------
$ dig +trace www.census.abs.gov.au<http://www.census.abs.gov.au> @61.88.88.88
; <<>> DiG 9.8.3-P1 <<>> +trace www.census.abs.gov.au<http://www.census.abs.gov.au> @61.88.88.88
;; global options: +cmd
. 333196 IN NS j.root-servers.net.
. 333196 IN NS k.root-servers.net.
. 333196 IN NS l.root-servers.net.
. 333196 IN NS m.root-servers.net.
. 333196 IN NS a.root-servers.net.
. 333196 IN NS b.root-servers.net.
. 333196 IN NS c.root-servers.net.
. 333196 IN NS d.root-servers.net.
. 333196 IN NS e.root-servers.net.
. 333196 IN NS f.root-servers.net.
. 333196 IN NS g.root-servers.net.
.. 333196 IN NS h.root-servers.net.
. 333196 IN NS i.root-servers.net.
;; Received 228 bytes from 61.88.88.88#53(61.88.88.88) in 152 ms
au. 172800 IN NS a.au.
au. 172800 IN NS b.au.
au. 172800 IN NS u.au.
au. 172800 IN NS v.au.
au. 172800 IN NS w.au.
au. 172800 IN NS x.au.
au. 172800 IN NS y.au.
au. 172800 IN NS z.au.
;; Received 491 bytes from 199.7.83.42#53(199.7.83.42) in 114 ms
gov.au. 86400 IN NS w.au.
gov.au. 86400 IN NS x.au.
gov.au. 86400 IN NS z.au.
gov.au. 86400 IN NS y.au.
;; Received 279 bytes from 58.65.253.73#53(58.65.253.73) in 146 ms
abs.gov.au. 14400 IN NS ns1.telstra.net.
abs.gov.au. 14400 IN NS ns1.abs.gov.au.
;; Received 102 bytes from 37.209.198.5#53(37.209.198.5) in 62 ms
census.abs.gov.au. 10800 IN NS auolpr00dn01d.abs.gov.au.
census.abs.gov.au. 10800 IN NS auolpr00dn02d.abs.gov.au.
census.abs.gov.au. 10800 IN NS auolpr00dn04d.abs.gov.au.
census.abs.gov.au. 10800 IN NS auolpr00dn03d.abs.gov.au.
;; Received 215 bytes from 139.130.4.5#53(139.130.4.5) in 48 ms
www.census.abs.gov..au<http://www.census.abs.gov..au>. 14400 IN A 150.207.169.5
www.census.abs.gov.au<http://www.census.abs.gov.au>. 14400 IN A 150.207.169.8
census.abs.gov.au. 86400 IN NS auolpr00dn01d.abs.gov.au.
census.abs.gov.au. 86400 IN NS auolpr00dn03d.abs.gov.au.
census.abs.gov.au. 86400 IN NS auolpr00dn02d.abs.gov.au.
census.abs.gov.au. 86400 IN NS auolpr00dn04d.abs.gov.au.
;; Received 183 bytes from 150.207.169.7#53(150.207.169.7) in 9 ms
From: Chris Lee <chris at datachaos.com.au<mailto:chris at datachaos.com.au>>
Date: Thursday, August 11, 2016 at 7:09 PM
To: "ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>" <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: Re: [AusNOG] census issues tonight
Online so long as you don't use Google DNS for lookups...
; <<>> DiG 9.10.4-P1 <<>> @8.8..8.8<https://urldefense.proofpoint.com/v2/url?u=http-3A__8.8.8.8&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=lVEBnodBT1tutMSqVpjploWPMSXH5ioOE1oO1a3y_hQ&e=> census.abs.gov.au<https://urldefense.proofpoint.com/v2/url?u=http-3A__census.abs.gov.au&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=SjWtw_nm3J4SjJxIdaGpWiN25_EK69qzsxCpYdAIe_o&e=>
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;census.abs.gov.au<https://urldefense.proofpoint.com/v2/url?u=http-3A__census.abs.gov.au&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=SjWtw_nm3J4SjJxIdaGpWiN25_EK69qzsxCpYdAIe_o&e=>. IN A
;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8..8.8.8)
;; WHEN: Thu Aug 11 19:06:03 AEST 2016
;; MSG SIZE rcvd: 46
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160811/cf67cd0c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: image001.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160811/cf67cd0c/attachment-0001.jpg>
More information about the AusNOG
mailing list