broken msoft name servers [was: They just don't make a Lart big e nough for this....]

Wed Aug 9 06:28:37 UTC 2000

We've marked 207.46.138.11 as bogus. After several attempts at educating the
msoft hostmaster/s, all to no avail, we had no choice. It was causing an
indirect DOS attack against us.

I sent msnhst at microsoft.com this;
> Hello,
> 
> We have noticed a very large number of TCP connection 
> requests (SYN_SENT)
> from our primary DNS to 
> dns4.cp.msft.net. 
> 
> EG.
> We have had up to 3000 of these open at one time.
> -----
> named  TCP o2robox05:49964->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49420->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49968->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49969->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49970->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49973->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49974->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49975->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49976->dns4.cp.msft.net:domain (SYN_SENT)
> named  TCP o2robox05:49988->dns4.cp.msft.net:domain (SYN_SENT)
> -----
> 
> Some detective work suggests the following;
> 
> 1/ DNS request(UDP) is sent to dns4.cp.msft.net
> 2/ answer(UDP) comes back from dns4.cp.msft.net with flag 
> that response is
> larger than 512 bytes, hence flagging TCP.
> 3/ DNS request(TCP) connection is initiated to dns4.cp.msft.net
> 
> So, is your firewall stopping TCP DNS requests? ie. blocking 
> TCP on port 53?

Regards,

Daniel Baird
Sysadmin/Network Engineer
Data and Business Services 
Cable & Wireless Optus     

-----Original Message-----
From: $perlvert [mailto:mycos at my-deja.com]
Sent: Wednesday, 9 August 2000 12:44 PM
To: comp-protocols-dns-bind at moderators.isc.org; abuse at microsoft.com
Subject: They just don't make a Lart big enough for this....

File this one under "Stupid DoS tricks", the following query completely
clobbers our NT BIND... but it doesn't matter what platform I make this
lookup from, it fails.

> 207.209.46.207.in-addr.arpa
Server:  dns4.cp.msft.net
Address:  207.46.138.11

*** dns4.cp.msft.net can't find 207.209.46.207.in-addr.arpa: Non-
existent domain

Well, that's not exactly true.....

965775969.939604 207.46.138.11.53 > x.y.z.n.53: 15210*| 20/0/0 PTR
albany.msn.com., PTR albuquerque.msn.com., PTR atlanta.msn.com., PTR
austin.msn.com., PTR baltimore.msn.com., PTR bayarea.msn.com., PTR
birmingham.msn.com., PTR boston.msn.com., PTR buffalo.msn.com., PTR
charleston.msn.com., PTR charlotte.msn.com., PTR chicago.msn.com., PTR
cincinnati.msn.com., PTR cleveland.msn.com., PTR columbus.msn.com., PTR
dallas.msn.com., PTR dayton.msn.com., PTR denver.msn.com., (504)

Hmmm, A through D.... anyone have any guesses as to just how many PTR's
msn.com needs for a single IP?

M