Full Disclosure mailing list archives
Re: FW: Question for DNS pros
From: Nils Ketelsen <nils () druecke strg-alt-entf org>
Date: Wed, 4 Aug 2004 22:58:05 +0200
On Wed, Aug 04, 2004 at 11:49:50AM -0700, John Hall wrote:
It's possible the packets that solicited the traffic were spoofed, but it's generally more likely that someone on your network browsed the site in the last day or two and you just haven't yet been aged out of the list of sites the 3-DNS is keeping track of.
I do not know anyhting about 3-DNS apart from what I read in this thread, so please excuse me if I get anything wrong or seem to be not understanding: 1. Why do you need to measure metrics for my DNS days after I might have visited a site? 2. How does this kind of setup scale (imagine everyone did that)?
But wouldn't that make 3DNS an amplifier in a DoS attack? I guess it depends on how it is configured. Seems so that, when configured wrong with an overly aggressive configuration, it will respond with a multiple of probes packets to a single spoofed reply.Definitely not! When your DNS server sends a query to 3-DNS, it's added to a list of sites to keep metrics for. The probes used to create those metrics are rate limited to one overall attempt to gather data per hour regardless of how many times you query the server. A single data gathering
And if I, for example, spoof DNS requests from each IP-Adress in the /8 of the organization I dislike? Or I spoof DNS requests from every IP-Address in 0.0.0.0/0? Will you then be sending out probe packets for a few days to all these IP-Adresses? That sounds like a DOS Amplifier to me.
attempt will try each of its configured probe methods in turn to try and get a response, so you should never see more than 6 - 20 packets per hour, per group of 3-DNS's.
So worst case: 20 packets per hour times 2^32 possible IP Addresses makes you send out 85899345920 an hour. Not bad. And that is for each of your customers, right?
I don't think that could be a problem with 3-DNS. Your time would probably better be spent trying to ensure that no reconnassance attempts return data that would be useful to an attacker. I suspect that even if every group of 3-DNS's in the world suddenly added you to their probe lists, you wouldn't see a significant amount of traffic. You'd probably notice it, but it wouldn't compare with the total amount of other unsolicited traffic you receive.
If I happen to have a /8 I might receive 5592405 Probe packets a second per 3-DNS group. I would call that significant. Nils -- Hast du das auch etwas deutlicher, oder bist du das Orakel von Jena? [Joerg Moeller zu Lutz Donnerhacke in de.admin.net-abuse.news] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: FW: Question for DNS pros, (continued)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros grutz (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 04)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 04)
- Re: FW: Question for DNS pros Nils Ketelsen (Aug 04)
- Re: FW: Question for DNS pros John Hall (Aug 05)
- Re: FW: Question for DNS pros Mark (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 04)
- Re: FW: Question for DNS pros Gary E. Miller (Aug 04)
- Re: FW: Question for DNS pros John Hall (Aug 05)
- Re: FW: Question for DNS pros Gary E. Miller (Aug 05)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)