Bugtraq mailing list archives
Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem
From: Måns Nilsson <mansaxel () sunet se>
Date: Mon, 13 Mar 2006 23:54:45 +0100
--On den 8 mars 2006 14.58.20 -0500 gboyce <gboyce () badbelly com> wrote:
On Wed, 8 Mar 2006, Security Lists wrote:Sorry, I don't see this as amplification in your example, because YOUR dns servers are 100% of the traffic. 1:1 ratio.Once the first request to the nameservers is made, the object should be cached by the nameservers. Instead of one packet to each server, consider a stream of packets to each server. The recipient will recieve a stream of 100K answers with likely only 200K of traffic back to the attackers DNS server.
Now, the proper way to exploit this is to craft a record in a zone you control, that is some 4 kibibytes large, and have the spoofed query use EDNS0 (RFC2671) and advertise a willingness to receive such a large message. Much better payback. This is not anything artificial, it is based on actual attacks. Go and restrict your recursing name servers to answering queries from your own networks -- we are now, and this makes me sad, at a point where SMTP was 1994-5, open relays were at times regarded as a good utility. No such thing today, and I think DNS will take the same route. Do this limitation soon, but with care and afterthought, so as not to create a walled garden. What we do not want is packet filters as a panic measure. We want the end nodes to be sturdy in themselves. Like other spoofing attack countermeasures, this is a measure that will protect your neighbours more than yourselves, so do it for the good of others. -- Måns Nilsson Systems Specialist +46 70 681 7204 cell KTHNOC +46 8 790 6518 office MN1334-RIPE Hello. I know the divorce rate among unmarried Catholic Alaskan females!!
Attachment:
_bin
Description:
Current thread:
- RE: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Geo. (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Security Lists (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem gboyce (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Mark Senior (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Robert Story (Mar 17)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Bram Matthys (Syzop) (Mar 20)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Tim (Mar 23)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem gboyce (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Security Lists (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Måns Nilsson (Mar 17)