Circle ID reports that major domain registrat Network Solutions has been expriencing a massive DDOS UDP/53 attack on their domain servers for the past 48 hours.  The Network Solutions blog confirms this: “There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack.  We are taking measures to mitigate the attack and speed up queries.”

A post on NANOG provides some additional detail:

A DOS where lots of people's dns servers around the world
are being queried with bogus sourced dns requests not from port 53 for
'NS? .'.  This then bounces back to their authoritative nameservers which
are getting traffic overload.

...

These are the result of a spoofed dns recursion attack against our servers.
The actual packets in question (the ones reaching your servers) do NOT
originate from our network as such there is no way for us to filter things
from our end.

If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these
machines make legitimate outbound dns requests so an inbound filter of
packets to udp/53 from either of these two sources is perfect.

If you are receiving queries from 66.230.128.15/66.230.160.1 these servers
are authoritative nameservers. Please do not blackhole either of these IPs
as they host many domains. However, these IPs do not make outbound DNS
requests so filtering requests to your IPs from these ips with a destination
port of 53 should block any illegitimate requests.

An ACL similar to:
access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53
access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53
Is what you want.

This attack could potentially affect more than 7.6 million domain names.  Given the recent rapid spread of threats like the Downadup worm, I’m sure we’re going to be seeing more attacks like this in the not-too-distant future.

UPDATE: Network Solutions says DNS queries for web sites should be responding normally now.

News of the massive data breach at Heartland Payment Systems that may have compromised tens of millions of credit and debit transactions was all over the Internets today. It appears to have been a targeted attack involving malicious software installed on the company’s payment processing network that was designed to track and report the magnetic information stored on the back of a credit card as it was being sent for processing to Heartland by thousands of the company’s retail clients. Rich Mogul over at securosis observes that, “the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems.”

It’s worth noting that as a level 1 payment processor, Heartland is required to be PCI compliant. PCI requires that you segment your transaction data from other networks, that you have a firewall that restricts connections between public servers and cardholder data, and that you document and justify the services and ports necessary for business. The new PCI DSS Compliance report available in the recent release of Athena FirePAC automates the process of assessing firewalls for compliance.

All of which is well and good and will certainly provide reasonable protection from random hacking attempts. The trouble is that even though PCI is among the most advanced security compliance standards out there, passing a compliance audit won’t really protect you from targeted attacks such as this. You have to know what’s going on in your network and how your defenses really behave. A simple inspection of your firewall rules won’t identify the true exposures in your network or identify the data assets at risk. You need to know exactly which services and ports are allowed to connect to all of your IT and network assets. This comes from understanding how the ACLs, address translations, and the routing table all work together to control the traffic flowing through your firewall. Although difficult to get right, Athena FirePAC excels at this kind of policy analysis. It can identify exactly which assets are exposed to risky services and which rules cause the most problems. It can tell you what the impact of changes to the firewall configuration will be before deploying them to the device. This kind of information is invaluable when trying to track down and repair exposures in your network before the data thieves find their way in.

The new version of Athena FirePAC is now available for download. Try it out free for 30 days. We’ve added a bunch of cool new features in this release. The new user interface shows you a list of all your licensed firewalls and is a breeze to work with. FirePAC now provides a compliance assessment report for the PCI Data Security Standard v1.2. The PCI assessment correlates the policy analysis performed by FirePAC with the PCI requirements for firewalls and presents the results in a single convenient report. We’ve also added a new report that identifies the top offending rules that are responsible for the most security exposures in the firewall configuration.

And lots more too. Check it out!

The schedule for my webcasts in January and the first part of February about Athena FirePAC is up.  Register for any one of the webcasts and learn more about using FirePAC to analyze your firewalls.

This is a little old, but I just came across a reference to it on the Security Metrics mailing list. Robert X. Cringely writes about a metric to predict emerging global leaders in technology (and presumably economic development and power) that is based on the number of Cisco Certified Internetwork Experts (CCIEs), broken down by country. Cringely writes:

Where I took a step further was to divide the number of CCIEs into each country’s population, then do the same for each country’s Gross Domestic Product and correct for widely varying populations and states of economic development. For a baseline, then, the U.S. has at present 5,863 CCIEs, which is 1.947 CCIEs per 100,000 population and $2.2 billion of GDP per CCIE.

The results for Europe and North America are not surprising, with Canada, the UK, and Ireland being relatively close to the US. What is more interesting are the numbers for Asia.

India has 0.036 CCIEs per 100K to China’s 0.22 per 100K — a 7X differential — while India has $10 billion in GDP per CCIE to China’s $3.3 billion. There is no doubt that there is plenty of network expertise in India, but these numbers show that expertise isn’t making it out of the technology centers to the rest of the country. China, on the other hand, is developing its IT infrastructure much more broadly. This also doesn’t take into account the simply huge numbers coming out of Hong Kong, where there are 3.3 CCIEs per 100K and $1.13 billion in GDP per CCIE — numbers that might properly be added to the rest of China in some accounts.

Japan has 1.23 CCIEs per 100K to South Korea’s 1.9, but the significant difference between these two countries is the $4 billion per CCIE in GDP for Japan compared to $1.28 billion in South Korea, which is clearly investing massively in network infrastructure.

Looking 30 years into the future I think it is clear that the regional leaders will be China and Korea, NOT India and Japan.