Re: FW: Question for DNS pros

[Nils Ketelsen <nils () druecke strg-alt-entf org>]

On Wed, Aug 04, 2004 at 11:49:50AM -0700, John Hall wrote:

> It's possible the packets that solicited the traffic were spoofed, but
> it's generally more likely that someone on your network browsed the site
> in the last day or two and you just haven't yet been aged out of the list
> of sites the 3-DNS is keeping track of.

I do not know anyhting about 3-DNS apart from what I read in this thread, so
please excuse me if I get anything wrong or seem to be not understanding:

1. Why do you need to measure metrics for my DNS days after I might have
visited a site?

2. How does this kind of setup scale (imagine everyone did that)?

> > But wouldn't that make 3DNS an amplifier in a DoS attack? I guess it
> > depends on how it is configured. Seems so that, when configured wrong
> > with an overly aggressive configuration, it will respond with a multiple
> > of probes packets to a single spoofed reply.
> Definitely not!  When your DNS server sends a query to 3-DNS, it's added
> to a list of sites to keep metrics for.  The probes used to create those
> metrics are rate limited to one overall attempt to gather data per hour
> regardless of how many times you query the server.  A single data gathering


And if I, for example, spoof DNS requests from each IP-Adress in the /8 of
the organization I dislike?

Or I spoof DNS requests from every IP-Address in 0.0.0.0/0?

Will you then be sending out probe packets for a few days to all these
IP-Adresses? That sounds like a DOS Amplifier to me.


> attempt will try each of its configured probe methods in turn to try and
> get a response, so you should never see more than 6 - 20 packets per hour,
> per group of 3-DNS's.


So worst case:

20 packets per hour times 2^32 possible IP Addresses makes you send out
85899345920 an hour. Not bad. And that is for each of your customers, right?


> I don't think that could be a problem with 3-DNS.  Your time would
> probably better be spent trying to ensure that no reconnassance attempts
> return data that would be useful to an attacker.  I suspect that even
> if every group of 3-DNS's in the world suddenly added you to their probe
> lists, you wouldn't see a significant amount of traffic.  You'd probably
> notice it, but it wouldn't compare with the total amount of other
> unsolicited traffic you receive.

If I happen to have a /8 I might receive 5592405 Probe packets a second per
3-DNS group. I would call that significant.


Nils

-- 
Hast du das auch etwas deutlicher, oder bist du das Orakel von Jena?
      [Joerg Moeller zu Lutz Donnerhacke in de.admin.net-abuse.news]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html