Bugtraq mailing list archives
Re: Dynamic DNS
From: stefan () NS ASIT RO (Stefan Laudat)
Date: Tue, 31 Aug 1999 11:35:59 +0300
8.2. A denial of service attack can be launched by flooding an update forwarder with TCP sessions containing updates that the primary master server will ultimately refuse due to permission problems. This arises due to the requirement that an update forwarder receiving a request via TCP use a synchronous TCP session for its forwarding operation. The connection management mechanisms of [RFC1035 4.2.2] are sufficient to prevent large scale damage from such an attack, but not to prevent some queries from going unanswered during the attack.
Newest versions of BIND8 die when secondary DNS authorities (or any other hosts) shamelessly ask for zone transfers/updates in a mass amount,although there are some strongly-defined acl's. The result is a BIG DoS, rising the load average to Himalaya and blowing up the dns server. Bug reported already,with a short and concise (should I say amateurish?) bounce answer: "Hell, you can DoS a lot of services that way!". Just imagine DNS1.microsoft.com under heavy assault.What if the next day someone finds a good apache DoS and gets rejected ? Oh,I remembered. Spoofed IP packets are the favourites of the day, you need only to attack not to listen to the last whispers of a dying server. You just don't want to be logged, do you ? :>
All Dynamic DNS services that I know of are vulnerable . I am not going to include code, but it is a trivial task to spoof a packet (UDP or TCP) with RR data in the format this RFC specifies. In other words, anyone can manipulate RR records by sending bogus data because the only authentication is IP.
Good old juggernaut should be enough for that >=-). For kiddies it's reccomended to read RFC's and assemble packets on their own, there are a lot of packet-assembling tools on the Net. -- Stefan Laudat Data Networks Analyst ASIT SA ---------------------------------------------------------------- Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777 ---------------------------------------------------------------- !07/11 PDP a ni deppart m'I !pleH
Current thread:
- Re: Dynamic DNS Brad Knowles (Aug 30)
- <Possible follow-ups>
- Re: Dynamic DNS Stefan Laudat (Aug 31)