Botnets scanning like the Borg : DNSSEC three words use VPC always

10 Jun 2015

Ive been developing web services for the past 6 years or so , and recently in the middle of prototyping a new service, I encountered a very disturbing thing. I was probed by a bot net. No less than 10 ips, that continously probed my new service for php vunerabilities, and other common security snafus. Thankfully , I never deploy services with open security parameters, and I have sufficient logs to alert me to the fact that I’m being probed.

This lead me to start thinking, just how many services , or machines are simply taken over this way. Some developer innocently developing a service, that needs some public facing endpoint, that will never see the light of day, deploys open security features for the convenience of testing. I know I’ve done this on closed networks, and its not that far of a stretch to skirt adding auth etc… to dev. at light speed .

All of the aforementioned led me to quickly postulate just how I ended up on the list of endpoints to probe. The service has had a public endpoint for maybe 1 week. Its certainly not indexed by google. DNS of course allows lookups and my DNS is certainly not a private database, but if you don’t know the endpoint . How do you find it ? There are alot of probabilities and guessing can be expensive. This lead me to DNSSEC and Zone Enumeration.

Visual Interface for [subdomain hunt] ( and better description of the technique on Quora here

Back to the point, recently AWS has been pushing ec2 users to use VPC security and subnet restrictions. With VPC security you can really lock down the network. In the past when I’ve worked for larger corporations, this little i/o bubble provided alot of security. Even for the lazy. Being lean means iterating quickly, but it doesn’t really have to mean being naive. Simply put lock it down.

comments powered by Disqus