Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: recursive DNS servers DDoS as a growing DDoS problem

from [Anton Ivanov] Network Security [Permanent Link]
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
Date: Fri, 24 Mar 2006 07:11:42 +0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Thompson wrote:


Michael Sierchio <kudzu@tenebras.com> writes:


Robert Story wrote:


VG> In the scenario you describe, I cannot see any actual amplification...

The amplification isn't in the number of hosts responding, but in

packet size.

A very small DNS request packet results in a huge response packet.


Are you talking about rogue authoritative servers? Otherwise, responses
will be limited to 512 bytes, possibly with the truncation bit set.



Unless it supports EDNS, in which case it may be persuaded to send
larger replies. BIND does currently have "you cannot be serious"
cutoff at 4096 bytes.

The reason that it is more awkward to use the method against
authoritative-only nameservers is that you have to find a large
RRset in the wild (or one that will come with large authority and/or
additional sections in the reply) and then use the authoritative
nameservers for that RRset, not any old open recursive nameserver
(or many of them). You cannot craft your own RRset for the purpose.


That is not a problem. As usually MCI at your service. They have
switched from RFC 3258 DNS design to having a very long list of name
servers each of which is separate. That is at least 345 bytes of
extra/authority section instead of the usual 70-100. All you need is
to find a domain hosted with them. If you are happy with a 5x
amplification you can simply use MCI.com

They are not the only ones.

It is a general trend in large ISPs/Telcos to exterminate with extreme
prejudice any DNS design that requires some networking competence.
Once again - transitions from RFC3258 to long lists are only one
example. Plenty of others.


But you can still get amplification, certainly.


The real solution to this problem is people finally starting to
enforce antispoofing on access networks. It is the same story as with
smurf and broadcast amplification 7 years ago. It is time to put up a
name and shame list out there.

- --

A. R. Ivanov
E-mail:  aivanov@sigsegv.cx
WWW:     http://www.sigsegv.cx/
pub 1024D/DDE5E715 2002-03-03 Anton R. Ivanov <ai1-n@sigsegv.cx>
    Fingerprint: C824 CBD7 EE4B D7F8 5331  89D5 FCDA 572E DDE5 E715

        
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEI5uu/NpXLt3l5xURApliAJ9LzA/Cnan74hSvRhOEKH6B0BI1zwCfe3x2
uDzVwvQTQQ5ugwYdtRdKhbM=
=AKsS
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PasswordSafe 3.0 weak random number generator allows key recovery attack, ronys
Next by Date:  Microsoft Windows XP SP2 Firewall issue, edubp2002
Previous by Thread:  Re: recursive DNS servers DDoS as a growing DDoS problem, Chris Thompson
Next by Thread:  Re: recursive DNS servers DDoS as a growing DDoS problem, MaddHatter
Indexes:  [Date] [Thread] [Top] [All Lists]