The “isc.org” DNS attack

An attack on DNS udp port 53 is been spreading out these days. The attacker uses botnets to send out UDP packets using a fake SRC IP address for a DNS request. When the DNS server replies to this query, he sends it to that false address.

Pakets look like this:

SRC: 178.33.2.*:any
DST: yourdnsserver:53
QUERY: ANY? isc.org

The source IP is a fake, but every DNS servers configured with root hints will answer to this paket. Problem here:

Request size: 78 bytes
Answer size: 3656 bytes

So this is a 46x multiplier for DDOS attacks. Nice idea, bad for DNS server owners. There are a lot of websites talking about this issue:

Protection against isc.org any attack
http://www.minihowto.eu/…

How to block DNS Amplification Attack isc.org any attack
http://www.junkemailfilter.com/…

How to Launch a 65Gbps DDoS, and How to Stop One
http://blog.cloudflare.com/…

Is Your Open DNS Resolver Part of a Criminal Conspiracy?
https://www.isc.org/…

[issue-1] Routers don’t follow BCP38

So the problem has two sources; first the internet routers that allow pakets being transported with source addresses that aren’t from ranges behind those routers. Or in other words: Why should a router forward a packet from a source he already knows for a different gateway in his routing table? There’s a routing “best common practice” no. 38 that describes this as follow:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

Thanks to Chip Marshall from dyndns.org for publishing this information. His post is here.

More Information about BPC38 can be found here:
http://www.bcp38.info/index.php/Main_Page

[issue-2] DNS recursion

The other reason is, a DNS server published in the internet should only answer queries for his zones. But most DNS servers are configured to perform recursive DNS queries on behalf of its clients. This is the reason, why this attack has spreaded out.

To disable recursion on Windows DNS Servers:

  • Right-click the DNS server and click Properties
  • Select the advaned tab
  • under Server options, select “Disable recursion” check box
  • Save using the OK button

More Information in TechNet: http://technet.microsoft.com/en-us/library/cc771738.aspx

Another way could be removing all root hints and forwarders from the config. But disable recursion is the easiest and most common.

Other Links:

Alert from US-CERT: http://www.us-cert.gov/ncas/alerts/TA13-088A

Advertisements

negative Ping times & losing Performance data

Did you ever see something like this?

21.05 ping time

The problem also appears to loose performance graph data like this:

21.05 perf

But what’s causing this phenomen? I found this Article in MS KB895980:

CAUSE:

This problem occurs when the computer has the AMD Cool’n’Quiet technology (AMD dual cores) enabled in the BIOS or some Intel multi core processors. Multi core or multiprocessor systems may encounter Time Stamp Counter (TSC) drift when the time between different cores is not synchronized. The operating systems which use TSC as a timekeeping resource may experience the issue. Newer operating systems typically do not use the TSC by default if other timers are available in the system which can be used as a timekeeping source. Other available timers include the PM_Timer and the High Precision Event Timer (HPET).

Weird, isn’t it? I decided to use the boot.ini Switch “/userpmtimer” to successfully solve that problem.

JetPack for DHCP DB maintenance missing?

During my learning courses of Server 2012, I just tried to do a DHCP Database maintenance using JetPack. I really didn’t found that executable, so I also tried doing the same under Server 2008r2. No success. Know why? JetPack is only installed in combination with the WINS Role. Who does still use WINS?!? (Sorry for that.)

So if you don’t want to install the WINS Role only to get the JetPack executable back, there is one other way.

  1. Open Explorer, Browse to %windir%\System32
  2. Use the Search Box and enter “JetPack”
  3. Copy the executable to %windir%\System32\dhcp
  4. Run your maintenance

Source:

Technet Article; Jetpack.exe on Windows 2008 server

KB145881 How to Use Jetpack.exe to Compact a WINS or DHCP Database

Get (Calculate) Windows Product Key using PowerShell

There are some tools in the web that can read out Product Keys from a running Windows installation. There’s also a cool guy that wrote a PowerShell Script that can do the same. Christian Haberl published his Script on his blog here:

http://blog.this.at/post/2010/03/06/Windows-Product-Key-per-Powershell-auslesen.aspx

Source Code:

function Get-ProductKey {

$map=“BCDFGHJKMPQRTVWXY2346789”
$value = (get-itemproperty “HKLM:\\SOFTWARE\Microsoft\Windows NT\CurrentVersion”
).digitalproductid[0x34..0x42]
$ProductKey = “”
for ($i = 24; $i -ge 0; $i–
) {
$r =
0
for ($j = 14; $j -ge 0; $j–
) {
$r = ($r * 256) -bxor $value[$j
]
$value[$j] = [math]::Floor([double]($r/
24))
$r = $r %
24
  }
$ProductKey = $map[$r] +
$ProductKey
if (($i % 5) -eq 0 -and $i -ne
0) {
$ProductKey = “-” +
$ProductKey
  }
}
echo “Product Key:” $ProductKey

}

Very cool! Thanks Christian for publishing that code.

Boot directly from vhd File

Yes I knew about mounting vhd files as drive in Windows 8/2012, and ISO files can also be mounted directly in windows explorer. But here’s a very easy way to mount AND directly add the vhd image into BCD boot menu to boot up from:

(1) Copy the Extracted VHD file to C:\BootVHD\Server2012.vhd

(2) Mount the copied VHD file as a virtual Drive Letter

  • Right-click on the “Command Prompt” shortcut and select “Run as Administrator”
  • run “DISKPART.EXE” from the Command Prompt
  • At the “DISKPART>” prompt type the following commands, pressing Enter after each:
  • SELECT VDISK FILE=”C:\BootVHD\Server2012.vhd”
  • ATTACH VDISK
  • EXIT

(3) Wait for the VHD file to be mounted as new Drive Letter.  When completed, this new drive letter will display in “My Computer” and “Windows Explorer”

(4) Add a new OS Boot Menu Choice for Windows Server 2012

  • Right-click on the “Command Prompt” shortcut and select “Run as Administrator”
  • Run “BCDBOOT <mounted_drive_letter>:\WINDOWS” from the Command Prompt

(5) Reboot and select “Windows Server 2012” for the OS Boot Menu displayed

Done.

Source: http://blogs.technet.com/b/keithmayer/p/earlyexpertlabsetup.aspx#.UYtQlsp0bIg