Bugtraq mailing list archives

Re: Dynamic DNS

From: stefan () NS ASIT RO (Stefan Laudat)
Date: Tue, 31 Aug 1999 11:35:59 +0300

   8.2. A denial of service attack can be launched by flooding an update
   forwarder with TCP sessions containing updates that the primary
   master server will ultimately refuse due to permission problems.
   This arises due to the requirement that an update forwarder receiving
   a request via TCP use a synchronous TCP session for its forwarding
   operation.  The connection management mechanisms of [RFC1035 4.2.2]
   are sufficient to prevent large scale damage from such an attack, but
   not to prevent some queries from going unanswered during the attack.


Newest versions of BIND8 die when secondary DNS authorities (or any other hosts) shamelessly
ask for zone transfers/updates in a mass amount,although there are some strongly-defined
acl's. The result is a BIG DoS, rising the load average to Himalaya and blowing up the dns server.
Bug reported already,with a short and concise (should I say amateurish?) bounce answer: "Hell, you can DoS
a lot of services that way!". Just imagine DNS1.microsoft.com under heavy assault.What if the next day
someone finds a good apache DoS and gets rejected ?
Oh,I remembered. Spoofed IP packets are the favourites of the day, you need only to attack not to
listen to the last whispers of a dying server. You just don't want to be logged,
do you ? :>

All Dynamic DNS services that I know of are vulnerable .
I am not going to include code, but it is a trivial task to spoof a packet
(UDP or TCP) with RR data in the
format this RFC specifies.  In other words, anyone can manipulate RR
records by sending bogus data
because the only authentication is IP.


Good old juggernaut should be enough for that >=-). For kiddies it's reccomended to read RFC's
and assemble packets on their own, there are a lot of packet-assembling tools on the Net.


--

Stefan Laudat
Data Networks Analyst
ASIT SA
----------------------------------------------------------------
Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777
----------------------------------------------------------------

!07/11 PDP a ni deppart m'I  !pleH

Current thread:

Re: Dynamic DNS Brad Knowles (Aug 30)
- <Possible follow-ups>
- Re: Dynamic DNS Stefan Laudat (Aug 31)