Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem

["Mark Senior" <senatorfrog () gmail com>]

Correct me if I'm wrong, but I was under the impression that DNS
responses that go over the max size of a UDP datagram won't get split
into multiple UDP datagrams.  Rather, a response with only partial
data will be sent back, and the client has to reconnect over TCP to
get the full data.

RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes
(although it may be old news now that that has been increased).

So, you can send a bunch of source-spoofed requests that are under 100
bytes, and get a bunch of 512 bytes responses.  With the UDP headers,
that would increase the size a little, but not a huge amount.  We're
talking about a traffic amplification of about 10:1 or less.
Respectable, but not enormous.

(Sorry to respond to you twice - I forgot to copy the lists the first time)

Regards
Mark

> Once the first request to the nameservers is made, the object should be
> cached by the nameservers.  Instead of one packet to each server, consider
> a stream of packets to each server.  The recipient will recieve a stream
> of 100K answers with likely only 200K of traffic back to the attackers DNS
> server.