Fwd: NIST Computer Security Division Released March 2014 ITL Security
CRt Mail
A beta version of the mail webinterface is online on http://test.cesidianroot.eu
Many bugfixes have been resolved. Also a mobile version is online. Please visit and try the mobile version with your browser on your cellular phone by typing http://test.cesidianroot.eu and send any bug to [email protected].
Thanks a lot for testing. The next few days some other features will be implemented also a new view…
Cheers
Sent by CesidianRoot Europe Mail Services Webmail
Safe and secure!
Spamfree, DKIM support, dnssec signed, PFS (Perfect Forward Secrecy).
You would like to register your own email domain?
You would like to have an email address for the domain [email protected] or [email protected]?
Contact: [email protected]
https://mail.cesidianroot.eu
https://www.cesidianroot.eu
UCANN2 Restructure
I’ve started restructuring the UCANN2 infrastructure. New servers, MORE servers and a completely different naming convention.
This new infrastructure will allow beeter reliablty as well as faster resolver time. Since I’ve moved the DNS structure to a DLZ (Dynamic Loading Zone) setup, the updates are immediate.
So check back often for new servers coming online.
Server for Cesidian Root
It seems that domains like…
http://www.cesidian.root
http://tricycle.ti
http://uyghurensemble.uu
…resolve.
And ICANN domains like…
http://cmt.zone
http://ummoa.cc
http://ummoa.com
…also resolve.
Cheers!
Two more servers.
I’ve setup two more DNS servers :
92.222.21.155 -> Germany
5.135.167.84 -> France
How to make them available as root servers? should I add an entry to the “db.root” file?
CRT Security UNKNOWN kind of ddos attack on dns servers
Today a new type of ddos has occured, here is the first of it surfacing. I just received this email from the security offices.
Two of our servers are affected. I am working very hard to find a solution for this new kind of attack.
If anybody finds this kind of attack in the bind log files, please let me know about it immediately.Here a description of how this attack is acting and working:
Chinese Water Torture: A Slow Drip DNS DDoS Attack
A number of our service provider customers around the world are reporting that they see a new type of denial-of-service attack that is using the DNS as the attack vector. The service providers themselves do not appear to be the target of this attack. Instead, the attack tries to overwhelm an outside victim’s authoritative DNS servers. Once the DNS server is taken down, the victim’s domains will appear to be inaccessible.
As a side effect, our service provider customers are seeing a spike in DNS traffic resulting in increased CPU and memory usage. This blogs gives some more details about the attack and suggests what you can do to mitigate the impact of it.
The Attack
It appears that a fairly large botnet is used to send queries for the victim’s domain. Queries are made-up, with random string with up to 16 letters prepended to the victim’s domain, like:
xyuicosic.www.victimdomain.com
A query for this domain is then sent to the service providers DNS server. The DNS server attempts to contact the authoritative nameserver to find the answer. If the authoritative nameserver does not reply (because it is too busy responding to queries from DNS servers all over the world, or perhaps has crashed), the DNS server attempts to contact the next authoritative nameserver and so on. Modern DNS server will make multiple attempts to contact each authoritative nameserver before giving up and responding back to the client with a SERVFAIL response.
The infected client will then repeat the same pattern but this time with another random string prepended, for example:alkdfasd.www.victimdomain.com
Even though the DNS server was unable to get a response from any of the victimdomain.com authoritative nameservers during the previous query, most DNS servers will still attempt to contact them for this second query.
Now imagine that thousands of bots are sending a relatively small number of queries for such made-up subdomains. This will trigger a large increase in the number of DNS queries sent by the service provider’s DNS servers to the victim’s nameservers.How to Detect the Attack
While this attack most likely is targeting the authoritative servers for victimdomain.com, it also puts an increased CPU load on the DNS server by forcing it to continually initiate recursive queries and also consumes large amounts of resolver memory resources. More importantly, if the internal resolver resources are fully consumed, the resolver may drop any inbound queries, including queries from legitimate clients.
If the DNS server’s behavior is being monitored, the symptoms of the attack will also show up as:
Increased CPU utilization
Increased number of SERVFAIL responses
Increased number of outbound queries and retransmissions
Increased query latency
Increased number of dropped client queries (if the resolver resources are fully consumed)One thing all of the victim domains have in common is that they appear to be Chinese sites, perhaps gaming or gambling sites.
Fwd: NIST Released February 2014 ITL Security Bulletin: Framework for
NIST Computer Security Division released the February 2014 ITL Security Bulletin.
Topic of the Month:
Framework for Improving Critical Infrastructure Cybersecurity
URL to ITL Bulletin:
http://csrc.nist.gov/
This month’s Bulletin is a supplemental article to the approved NIST Cybersecurity Framework. For more information regarding the Cybersecurity Framework, please visit the NIST Cybersecurity Framework’s website:
http://www.nist.gov/
For previously released ITL Security Bulletins, visit the NIST CSRC ITL Bulletins page:
http://csrc.nist.gov/
TLD .atla
The TLD .ATLA is working again in the CRt.
http://www.atla/
http://www.gov.atla/