Bugtraq mailing list archives

Re: DNS query spam

From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 29 Nov 2005 17:42:50 +0100

* Piotr Kamisiski:

23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53:  38545+ [1au] ANY ANY? e.mpisi.com. (40)



204.92.73.10 is one of the IP addresses for irc.efnet.ca.  Someone is
spoofing the source addresses, in the hope that DNS servers will
return a large record set.

Could you check if the packets contain OPT records (e.g. using
"tcpdump -s 0 -v")?  This protocol extension is described in the RFC
for ENDS0 (RFC 2671).  EDNS0-capable DNS resolvers can send fragmented
UDP packets, exceeding the traditional 512 byte limit of DNS UDP
replies.  The BIND 9 default maximum response size is 4096, for
example.

If the spoofed requests contain OPT records , you typically get an
amplification factor of about 60 in terms of bandwidth, and 5 in terms
of packet rate, but actual numbers may vary.

Yet another reason to restrict access to your recursive resolvers to
customers only.

Current thread:

DNS query spam Piotr Kamisiski (Nov 28)
- Re: DNS query spam Josep Ma Castells (Nov 29)
  - Re: DNS query spam Florian Weimer (Nov 30)
  - Re: DNS query spam Joe (Nov 30)
- Re: DNS query spam Antone Roundy (Nov 29)
  - Re: DNS query spam Stephen Stuart (Nov 30)
- Re: DNS query spam Alexander Lourier (Nov 29)
- Re: DNS query spam Florian Weimer (Nov 29)
  - Re: DNS query spam Piotr Kamisiski (Nov 29)
  - Re: DNS query spam Jim Pingle (Nov 30)