November 26, 2013

Anti-DDoS protection added to BIND DNS

A new version of BIND DNS has added a mechanism which will help combat against reflected Denial-of-Service (DoS) attacks, or specifically against a DNS amplification attack.  This module was introduced into version 9.9.4.

What is a DNS amplification attack?  It's an attack where, using the UDP transport, the attacker uses a large group of open resolvers to execute a DNS lookups with the source address spoofed to look like it's coming from the victim/target.  Usually the lookup is for all records ("ANY" in DNS speak) of a particular domain (or zone) so that large amounts of response traffic is sent to the victim/target which consume large amounts of bandwidth and/or CPU of the target.  This will keep the target busy and potentially make it unavailable.  More details about how the attack works can be found here:
Anatomy of a DNS DDoS Amplification Attack

So how can RRL help mitigate these attacks?  In essence, RRL examines the pattern of DNS requests and throttles the response to the requests when it detects an attack.  According to the documentation, it's highly configurable to combat against many types of attacks.  An important note is that incoming requests cannot be throttled by RRL.

While the attacks are not new, there has been an increase of them recently.  I recommend considering deploying this feature.

More information about BIND and RRL:
Using RRL to Prevent DNS Amplification Attacks
Quick introduction to Response Rate Limiting
How to enable Response Rate Limiting (RRL) on BIND 9.9.4
Download BIND from here

August 24, 2013

Retail thefts parallel to infosec

I just re-discovered a great post by Richard Bejtlich about the parallels of retail crime and computer crime.  I read this writing by Richard a few years ago (2010) when it was posted and while it is dated, I thought it is worthy of highlighting again because in my opinion it's still relevant.

Maybe retailers should band together to share information about the criminals and losses similarly to how the casinos operate.  Collectively they might be able to fight this crime more effectively.  Sounds kind of similar to what we in the infosec community have been trying to do doesn't it?

Richard's blog post on

Where you'll get hacked stats

I found this graphic showing where you'll get hacked.  Some interesting statistics in there.

Link to graphic on

January 27, 2013

Google indexes 86K+ printers accessible from Internet

Printers on the Internet = total fail!  Funny article by ZDNet's Zack Wittaker.

Whoops: Google indexes more than 86,000 HP 'public' printers

Cyber Warfare and the Mutually-Assured Destruction of Cyberspace

I frequently read the writings of Lenny Zeltser; he's a smart guy who always has something interesting to say.  He posted a short entry on his blog in July of 2012 stating his theory of how countries will use the principle of mutually-assured destruction to deter each other from a major world war in cyberspace.
Worth a read, check it out here: