Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: recursive DNS servers DDoS as a growing DDoS problem

from [Stephen Samuel] Network Security [Permanent Link]
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
Date: Mon, 27 Mar 2006 16:43:10 -0800
Geo. wrote:
What feature of DNS is being exploited, UDP or the fact that there are a lot
of dns servers you can use?
I think that this is probably a better point than you think.
It's almost impossible to change the design of the DNS
protocol now but, going foreward, I think that we do
need to add to the best-practices list that any UDP based
protocol that has an ability to produce packet size
amplification, and that is likely to be available to the
public  (i.e. not firewalled off just on principle) should
be modified so that, before large packets get sent
back to a client, that the service have some sort of 'hello'
type protocol that requires that the initiating machine
can prove that it's actually able to receive the packets
that it's causing to be produced.  Even something as
simple as syn cookies would probably make amplification
difficult for most attackers.

To put it another way: UDP as a purely connectionless
protocol is fast becoming a liability in situations where
significant amplification is possible.


--
Stephen Samuel +1(778)861-7641             samnospam@bcgreen.com
                   http://www.bcgreen.com/
  Powerful committed communication. Transformation touching
    the jewel within each person and bringing it to light.

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: recursive DNS servers DDoS as a growing DDoS problem, gboyce
Next by Date:  Re: recursive DNS servers DDoS as a growing DDoS problem, Geo.
Previous by Thread:  Re: recursive DNS servers DDoS as a growing DDoS problem, gboyce
Next by Thread:  RE: recursive DNS servers DDoS as a growing DDoS problem, Geo.
Indexes:  [Date] [Thread] [Top] [All Lists]