Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CSAM: ANY queries used in reflective DoS attack

Published: 2013-10-08
Last Updated: 2013-10-08 21:19:20 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Our reader Phillip sent in the following log excerpt:

15:53:34.329883 IP > 59.167.x.35.53: 9158+ [1au] ANY? (41)
15:53:34.331562 IP > 59.167.x.36.53: 9158+ [1au] ANY? (41)
15:53:34.331785 IP > 59.167.x.32.53: 9158+ [1au] ANY? (41)
15:53:34.332050 IP > 59.167.x.39.53: 9158+ [1au] ANY? (41)
15:58:56.288188 IP > 59.167.x.32.53: 17253+ [1au] A? (50)
15:59:23.345810 IP > 59.167.x.34.53: 28322+ [1au] A? (50)

There are a couple of indicators that these logs are "odd":

- ANY queries are unusual in normal DNS traffic. While they are valid, they are not often used in "normal" DNS traffic. But for DoS attacks, they provide large responses.
- the source port and the query ID doesn't change
- the speed of these queries is very fast.

The main "feature" of becomes obvious if you look at the size of the response:

$ dig ANY
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.5-P1 <<>> ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39771
;; flags: qr rd ra; QUERY: 1, ANSWER: 244, AUTHORITY: 1, ADDITIONAL: 1
;; ANSWER SECTION: 3589 IN SOA 2012292301 28800 86400 3600000 86400 1789 IN A 1789 IN A
... 1789 IN A 1789 IN A 1789 IN NS
;; Query time: 7 msec
;; WHEN: Tue Oct 08 17:09:00 EDT 2013
;; MSG SIZE  rcvd: 3992

I removed most of the "A" record responses. There are a total of 243 if I counted right. The response is 3992 bytes, almost 100 times the size of the query (41 bytes). You also see at the top how dig indicates that it had to fall back to TCP because the response was too large. Many modern resolvers don't require this, and use EDNS0 to allow larger responses, typically up to 4kBytes in size.

The domain appears to be set up just to act as a source of large DNS responses to be used in DoS attacks.

The second record no longer resolves. I can only assume that it was used similarly. The "ANY" query is not needed for a domain like with many A records. Just an A query will result in a huge answer.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: any csam dns dos
0 comment(s)
Meet Johannes Ullrich at SANSFIRE!
Diary Archives