Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] DNS query as DOS amplifier
> -----Original Message-----
> From: Florian Weimer [mailto:fw@xxxxxxxxxxxxx]
> Sent: Tuesday, November 29, 2005 7:43 PM
> To: Piotr Kamisiski
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: DNS query spam
>
> * Piotr Kamisiski:
>
> > 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53:
> 38545+ [1au] ANY ANY? e.mpisi.com. (40)
>
>
> 204.92.73.10 is one of the IP addresses for irc.efnet.ca. Someone is
> spoofing the source addresses, in the hope that DNS servers will
> return a large record set.
>
> Could you check if the packets contain OPT records (e.g. using
> "tcpdump -s 0 -v")? This protocol extension is described in the RFC
> for ENDS0 (RFC 2671). EDNS0-capable DNS resolvers can send fragmented
> UDP packets, exceeding the traditional 512 byte limit of DNS UDP
> replies. The BIND 9 default maximum response size is 4096, for
> example.
>
> If the spoofed requests contain OPT records , you typically get an
> amplification factor of about 60 in terms of bandwidth, and 5 in terms
> of packet rate, but actual numbers may vary.
>
> Yet another reason to restrict access to your recursive resolvers to
> customers only.
>
|
