Bugtraq mailing list archives
Re: DNS query spam
From: "Piotr Kamisiski" <rotunda () ktd krakow pl>
Date: Tue, 29 Nov 2005 17:57:41 +0100 (CET)
Hello Thanks for your response.The requests don't contain OPT records, but the data I've analysed doesn't cover the most intense attacks. Today has been particularly quiet. I'll wait to accumulate more data.
On Tue, 29 Nov 2005, Florian Weimer wrote:
* Piotr Kamisiski:23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53: 38545+ [1au] ANY ANY? e.mpisi.com. (40)204.92.73.10 is one of the IP addresses for irc.efnet.ca. Someone is spoofing the source addresses, in the hope that DNS servers will return a large record set. Could you check if the packets contain OPT records (e.g. using "tcpdump -s 0 -v")? This protocol extension is described in the RFC for ENDS0 (RFC 2671). EDNS0-capable DNS resolvers can send fragmented UDP packets, exceeding the traditional 512 byte limit of DNS UDP replies. The BIND 9 default maximum response size is 4096, for example. If the spoofed requests contain OPT records , you typically get an amplification factor of about 60 in terms of bandwidth, and 5 in terms of packet rate, but actual numbers may vary. Yet another reason to restrict access to your recursive resolvers to customers only.
Best regards, Piotr KamisiĆski
Current thread:
- DNS query spam Piotr Kamisiski (Nov 28)
- Re: DNS query spam Josep Ma Castells (Nov 29)
- Re: DNS query spam Florian Weimer (Nov 30)
- Re: DNS query spam Joe (Nov 30)
- Re: DNS query spam Antone Roundy (Nov 29)
- Re: DNS query spam Stephen Stuart (Nov 30)
- Re: DNS query spam Alexander Lourier (Nov 29)
- Re: DNS query spam Florian Weimer (Nov 29)
- Re: DNS query spam Piotr Kamisiski (Nov 29)
- Re: DNS query spam Jim Pingle (Nov 30)
- Re: DNS query spam Josep Ma Castells (Nov 29)