Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Apple DDOS? Nope, just the update coming down! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple DDOS? Nope, just the update coming down!

The amount of press that Apples IOS 7 update has gotten today has had an unintended consequence - everyone seems to be pulling it down the instant they see that it's available.

This is triggering IPS Sensors and causing real DOS conditions due to the traffic involved - an unintended "apple - zooka"

Swa, one of our handlers, indicates that this can be easily resolved for a single broadcast domain by enabling the Apple Caching Service on a single OSX Server in the network.  Clients find it with Bonjour, and a single download services all clients. (thanks for the screenshot Swa)

I'm not sure how this interacts with the Service Discovery features in mDNS - if anyone has details on this we'd appreciate your insight in the comments field for this story!

Generally, just enabling this is enough, but advanced settings for the caching server can be found here ==> http://support.apple.com/kb/HT5590

 

===============
Rob VandenBrink
Metafore

Rob VandenBrink

512 Posts
ISC Handler
Unfortunately, the cache server has to compete with all the iThings until it gets a copy in cache...:-( We're working on it tho...
John

88 Posts
"Swa, one of our handlers, indicates that this can be easily resolved for a single broadcast domain by enabling the Apple Caching Service on a single OSX Server in the network. Clients find it with Bonjour, and a single download services all clients. (thanks for the screenshot Swa)"

Is that enterprise support? LMAO
Dean

135 Posts
Another option our org is considering is 'sinkholeing' the common DNS records i-devices use for software updates... at least for a few days with the expectation that most users will update via 'other' networks (like their home).

From what I've gathered around the web... these seem to be the relevant domains required to check for and download the update without impacting other legit iStore purchases, Siri, iMessaging, etc...

appldnld.apple.com
iphone-wu.apple.com
mesu.apple.com
phobos.apple.com
wu.apple.com

YMMV, we're still testing impact...

Also, not only iOS7, but we're noticing 15+ app updates as well listing "iOS7 bug fixes"... so add that to mix.

Would love to see feedback from other ISC readers who may have more specifics on these or other domains iOS devices depend on for iOS and app updates.
justageek

7 Posts
I am not sure you can say the Apple solution is not an enterprise solution.
It uses http://tools.ietf.org/html/rfc6763 based DNS based service discovery.

If Bonjour does not find the services using multicast (You can do multicast routing), then it falls back to unicast DNS lookup. So just add the relevant records to your DNS and things will work. You could put up a Bonjour Proxy as well, that responds on behalf of the actual server. It could be put on the Wireless, and respond on behalf of a server on another subnet.

Here is what Apple writes:
Bonjour uses Dynamic DNS Update (RFC 2316) and unicast DNS queries to enable wide-area service discovery.

If adding things to DNS is not an Enterprise solution, I don't know what is ?

Too many people don't see Apple products as the enterprise products they really are, as most of them are considered so dear to people that they want them as personal devices, and not enrolled too deep in the enterprise, because of fear that it might end up being too much like the slow and ugly Windows machine they had before. Maybe Apple needs to add a "Add to Domain" Application to convince everybody they are enterprise ready.
Povl H.

71 Posts
Probably related to the IOS release, though not the DOS condition -- I'm seeing several phishing emails with the subject "Your Apple Account has been put on-hold" containing the expected link to "activate your account".
Hal

50 Posts

Sign Up for Free or Log In to start participating in the conversation!