[dns-operations] DNS deluge for x.p.ctrc.cc

Sam Norris Sam at ChangeIP.com
Mon Feb 27 18:38:19 UTC 2006 

I believe we will find that SIP phones are going to also have this same 
problem.  Many people even give voip a high qos priority : )  Soon there 
will be a VOIP phone on every desk and each will be able to reply back to a 
spoofed IP with a packet larger than 512 bytes... its going to be fun when 
this becomes a more popular attack - NOT.

Sam

----- Original Message ----- 
From: "Sam Norris" <Sam at ChangeIP.com>
To: "John Kristoff" <jtk at ultradns.com>; <dns-operations at mail.oarc.isc.org>
Sent: 02/27/2006 10:11 AM
Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc


> Isn't this an issue even if the dns server isn't an open-recursive but
> simply listens on port 53?  Sending a packet with a spoofed source is a
> problem for ANY udp service.  If open resolvers are all taken off the net
> whats to stop the botnets from sending enough queries to the root servers
> with spoofed sources to accomplish the same goal?  Sure it takes more
> packets but ...
>
> Why bother testing if its recursive if either way its going to send 
> packets
> back to a victim?  Sure its a smaller payload but its still an attack
> vector.
>
> Sam
>
>
>
> ----- Original Message ----- 
> From: "John Kristoff" <jtk at ultradns.com>
> To: <dns-operations at mail.oarc.isc.org>
> Sent: 02/27/2006 9:30 AM
> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>
>
>> On Sun, Feb 26, 2006 at 09:23:23AM -0800, william(at)elan.net wrote:
>>> What is a correct way to verify if dns server is recursive from your
>>> resolver? Is asking info on your own domain from remote nameserver ok
>>> for it? What timeout should be used to decide that there was no answer?
>>
>> It is possible in some configurations, for example with BIND and an
>> allow recursion ACL, where generally hosts even outside the ACL will
>> still receive an answer the server is not authoritative for if it is
>> cached locally.  So one possible way obvious way around this would be
>> to query for a record with a TTL=0 that the server is not authoritative
>> for.
>>
>> John
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.oarci.net
>> http://lists.oarci.net/mailman/listinfo/dns-operations
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list