What is Digg?29 Comments
- ViceVirtue, on 10/12/2007, -1/+9You know the definitions are fuzzy (by common usage) and that you're never going to be able to change that.
Especially if you attempt to label them "Malicious Hackers" - That term is far too long for the masses to embrace.
Calling them crackers is also wrong because there're lots of legitimate crackers out there (DVD jon cracking apple software to open it up - I would call that legitimate).
It's best to just let it go, and not be offended when you're put in the same boat as a black-hat. - nxusername, on 10/12/2007, -2/+9Not closing off your DNS server is the same as running an open mail relay.
# cat /etc/bind/named.conf |grep recursion
recursion no; - xodex, on 10/12/2007, -5/+11People forget to add the word "Malicious" As in.... Malicious Hackers
- inactive, on 10/12/2007, -7/+12I'm offended. This is digg..you should know REAL Hackers don't do harm. Look at Steve Wozniak.
This is like some kind of CNN / Local News crap article. - mcdpa, on 10/12/2007, -1/+5Or ....
# cat /etc/bind/named.conf |grep recursion
allow-recursion { none; };
It is a good Idea not to make your bind version public either.
# cat /etc/bind/named.conf |grep version
version "get lost"; - macewan, on 10/12/2007, -3/+7agreed, responsible reporters need to start adding Malicious to these titles
- tacom8, on 10/12/2007, -3/+7oh god please tell me this isn't happening!
what is this world coming to? - toddbu, on 10/12/2007, -1/+5Can anyone tell me why recursion is on by default in bind? We've turned it off on all our DNS servers now, but I find it strange that this known method of attack hasn't been plugged.
- ynggrsshppr, on 10/12/2007, -1/+5An article on GRC.com written 4 years ago on the same subject:
http://www.grc.com/dos/drdos.htm
Yep, not a new attack. Just not used that often, thankfully. - inactive, on 10/12/2007, -2/+6Yea, because we all know CNET is as underground as it gets...
- nxusername, on 10/12/2007, -1/+3My version is enspired by Bender...
# cat /etc/bind/named.conf |grep version
version "Up yours!"; - Nougat, on 10/12/2007, -1/+3And here I thought it would be something fun like taking over the google.com zone and modifying the A record for 'www' to be the IP address of your target.
- bonoes, on 10/12/2007, -1/+3Them comparing it to a full mailbox is just stupid. They should use the "Mr. Incredible and the black rubber balls" analogy. Your server is Mr. Incredible and it's running down the path at full speed when all of a sudden it's blasted with thousands of black sticky balls. Eventually dropping it to its knees and keeping it there.
- inactive, on 10/12/2007, -1/+3Thats rather funny... my sites were just hit by that this week... Nasty as hell too... all the sites had intermittant downs, and eventually just went completly down for a day.
- tyme, on 10/12/2007, -1/+2i was just about to google for that info...
- davidu, on 10/12/2007, -1/+2It's not that simple, unfortunately. The issue is much more serious. Future versions of BIND as of today will be released with recursion disabled (or set only to local-nets) by default.
The issue is protocols that are trivially spoofed, the lack of BCP38 implementations globally and fundamentally any protocol that lays on this network where queries are small and responses are large. This creates a recipe for reflected and amplified attacks on unknowing victims and unknowing participants. - joel2600, on 10/12/2007, -6/+7time to let all the script kiddies in on what the others are up to
- jzp-digg, on 10/12/2007, -0/+1Has nothing to with akamai. Resolvers, not authoritative servers are the primary problem.
- jzp-digg, on 10/12/2007, -0/+1There's a line between "subtle" and "useless". Your comment is on the wrong side of the line; say something meaningful or buzz off.
- jzp-digg, on 10/12/2007, -0/+1Your servers will answer out of cache. In addition to 'allow-recurse' you need to clamp down on 'allow-query' as well.
- nuxx, on 10/12/2007, -0/+1As someone who's going for his CEH certification soon, I'm honestly not offended at all by this...I mean, in retrospect, those wily black-hats are what keep people like us busy, and for some, keep us employed as well!!
- dharm, on 10/12/2007, -1/+1funny how the article makes it seem like a new type of ddos... its not... its rddos (reflective ddos)...
its always great when these *techsites* catch up to 10+ years prior of knowledge - purpleslog, on 10/12/2007, -0/+0Well, I don't think the point is that it is a "new" attack (it isn't), but it is started to be used alot. The reason that it is a problem is that the victim of the attack can do little to to prevent them. The miss-configuration lies with the third party DNS server(s). The third party doesn't suffer the effect and therefore has little incentive to fix it. I suppose if shame/ridicule potential increases or if tort action by Lawyers occur, you will see this change. FYI here is the Secure Bind Template URL: http://www.cymru.com/Documents/secure-bind-template.html
- pr0t3st, on 10/12/2007, -1/+1Two words.
"Akamai Technologies" - the-Jer, on 10/12/2007, -0/+0Why the hell does this get a story? Any SA worth his salt doesn't allow recursive requests from everyone. umm, duh!
That why we have acl's and can make one allowed to recurse. - SuperSloth, on 10/12/2007, -2/+2People run open DNS servers?
- pr0t3st, on 10/12/2007, -1/+1Thats not quite what I was implying so subtley.
Maybe someone here can figure it out. - esourcemag, on 10/12/2007, -3/+2AMAZING! simply amazing...
- kayla, on 10/12/2007, -1/+0I remember that, too. Go CNET.. the dark underbelly of the digital universe.
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is