Everything, Everything - January 2009

2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
DNS Distributed Denial Of Service?
Tuesday 27th January, 2009 13:03
I spotted a lot of repeated requests to one of my DNS servers and decided to do some investigating (after blocking the IP addresses). It looks like I'm not alone, as someone else has blogged about it (and has also been seeing traffic from 76.9.16.171): DNS dot DDoS Attack targetting the Internet

This led me to the SANS entry on the 18th of January. Two of the IP addresses seem to be associated with porn sites and one of the netblocks has confirmed that a DDoS attack is in progress against one of their clients.

If you have queries for "." in your DNS log, best verify by use of a sniffer whether your DNS server actually responds and contributes to the DOS. Normally, an internet-facing authoritative DNS server should not respond to recursive 3rd party queries, but we have received reports that some servers apparently respond to these "." queries even when recursion is disabled.

The DNS server that's seeing this traffic appears to respond to the requests with a reply code of "Refused" (which is good practice), but that's stopped now that the IPs have been blocked (to help prevent my traffic adding to the problem, and save my server some CPU time, although it is only running at about 2%). You can test your own DNS servers using this tool.

At the moment I've only spotted it coming from the following IPs:

63.217.28.226
67.192.144.0 (all the freaking time)
76.9.16.171

But these others are also apparently affected:

69.50.142.11
69.50.142.110
76.9.31.42

It appears that some of these other IPs may relate to pharmacy spam. I don't like spam, but there must be a better way to take them down.

EDIT: Perhaps this is why GoDaddy and Network Solutions have reported some DDoS problems.

EDIT2: I must admit I'm quite impressed with the Windows Firewall with Advanced Security that comes with Windows 2008!

EDIT3: I noticed that a staggering 43% of all packets hitting my network card are malicious DNS queries. Here's my latest list:
  • 63.217.28.226
  • 64.57.246.123
  • 67.192.144.0
  • 69.50.142.11
  • 69.50.142.110
  • 69.64.87.156
  • 72.30.3.82
  • 72.249.127.168
  • 72.249.127.168
  • 76.9.16.171
  • 76.9.31.42
EDIT4: SANS have provided an update.
Windows 7
Tuesday 13th January, 2009 11:57
So far I've only been running it in a virtual machine (both x86 and x64; the latter doesn't appear to like VMWare Server 1.0.8's drivers, so I may need to move to VMWare Server 2 at some point as I believe it's meant to have signed drivers), so it's hard to make any real judgement on performance. However, it does look prettier than Vista. I'm still not convinced that the new version of Paint is easier to use with the "Ribbon" interface; but after using Office 2007 for a few months I now find it hard to go back, so perhaps it'll grow on me too.

Windows 7 Paint

The new way of managing notifications looks pretty cool:

Windows 7 Notifications

I'm not sure if I like the new Start Menu though. But, overall, it seems pretty good. I've also tested a small patch to Nmap's WinPcap installer (that I'll email to them at some point) that should cope with Windows 7 once it goes live. I'm sure there's a more elegant way to do it, but I've just added a check for "6.1" in addition to the line that checks for "6.0". I suspect I'll have to make another patch for the installer at some point if/when Nmap's installer moves to WinPcap 4.1, as the latest beta has merged a DLL into another one.

Windows 7
http://xkcd.com/528/
Guitar Hero World Tour
Monday 12th January, 2009 11:54
I've been playing a bit too much Guitar Hero World Tour recently, to the point where I've had to take day long breaks (and in this case about a week) from playing the guitar. Sure, I might be great at playing songs by Muse and No Doubt on the Hard setting (Medium's generally a bit too easy now), but my lower left arm is really starting to suffer. On the plus side, at least it's not my right hand, or there would be a lot more comments in the office. I'll have to go back to levelling up my World of Warcraft character instead.
Arctic Conditions
Tuesday 6th January, 2009 12:11
Due to the extremely cold weather (and it is cold here), I've been allowed to work from home today. This is probably a good thing, as they don't grit my estate, and the last time I tried to drive to work when it was this icy my car ended up on the wrong side of the road as I went around the first corner. A friend of mine gave me a link to this YouTube video of one of his colleagues, trapped in his car due to ice... or is it just stupidity? Warning, the guy filming it on his mobile does say shit. Shit, I just said shit. Three times. Shit.
How Many Kids (And Other Quizzes)
Monday 5th January, 2009 13:58
Online Quiz Results
Happy New Year
Thursday 1st January, 2009 01:00
It's a new dawn, it's a new day. And I'm feeling good. Or something like that.
© Robert Nicholls 2002-2018
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3