nanog mailing list archives

Re: Sipura VoIP phone adapters and DoS against name servers

From: Henry Linneweh <hrlinneweh () sbcglobal net>
Date: Mon, 5 Jul 2004 10:08:26 -0700 (PDT)


Get in contact with manufacturing vender for a fix,
and then tell us what they did or what they intend
to do to remedy the problem.

-Henry


--- sthaug () nethelp no wrote:


Last night we configured our equipment to reject
recursive DNS lookups
from non-customers. This morning, soon after normal
office hours began,
we started receiving around 2500 DNS lookups per
second more than normal
to our recursive name servers.

After analyzing the DNS lookups, we found that all
of the extra traffic
was generated from customers of a local VoIP
provider which uses Sipura
(SPA-2000) phone adapters. It seems that when these
adapters don't
receive answers to their DNS queries, they will
retransmit the query
once per second (until they receive an answer).
Multiply by number of
adapters, and you have the recipe for a nice DoS.

Shades of Netgear NTP DoS
(http://www.cs.wisc.edu/~plonka/netgear-sntp/)
- don't vendors ever learn?

Steinar Haug, Nethelp consulting, sthaug () nethelp no

Current thread:

Sipura VoIP phone adapters and DoS against name servers sthaug (Jul 05)
- Re: Sipura VoIP phone adapters and DoS against name servers Randy Bush (Jul 05)
- Re: Sipura VoIP phone adapters and DoS against name servers Henry Linneweh (Jul 05)
  - Re: Sipura VoIP phone adapters and DoS against name servers sthaug (Jul 05)
    - Re: Sipura VoIP phone adapters and DoS against name servers Matthew Crocker (Jul 05)
    - Re: Sipura VoIP phone adapters and DoS against name servers sthaug (Jul 05)