Full Disclosure mailing list archives
DNS Smurf revisited
From: Ian Gulliver <ian-fulldisclosure () penguinhosting net>
Date: Fri, 27 May 2005 10:28:37 -0400
DNS smurf is old news: http://www.s0ftpj.org/docs/spj-002-000.txt http://www.ciac.org/ciac/bulletins/j-063.shtml However, as ISPs continue to operate networks that let spoofed packets out this issue deserves a little publicity again. 10:17:07.641061 IP (tos 0x0, ttl 64, id 46429, offset 0, flags [DF], length: 49) XXXXXXXXXXXXX.44295 > c.gtld-servers.net.domain: [udp sum ok] 18297 ANY? org. (21) 10:17:07.673800 IP (tos 0x0, ttl 43, id 0, offset 0, flags [DF], length: 468) c.gtld-servers.net.domain > XXXXXXXXXXXXX.44295: 18297- 0/13/13 (440) % echo "2 k 468 49 / p" | dc 9.55 That's a 9.5X amplification of outgoing traffic; you can probably break 10X with a little more work on the query and nameserver choices. SOLUTIONS --------- ISPs: Drop outgoing packets that don't originate from within your network. You should already be doing this, as it stops a variety of other attacks. NS operators: Ratelimit? Attached is a modernized proof of concept. -- Ian Gulliver Penguin Hosting "Failure is not an option; it comes bundled with your Microsoft products."
Attachment:
dnos.c
Description:
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DNS Smurf revisited Ian Gulliver (May 27)