[dns-operations] DNS deluge for x.p.ctrc.cc

Sean Leach sleach at ultradns.com
Mon Feb 27 18:40:17 UTC 2006


On Feb 27, 2006, at 10:38 AM, Sam Norris wrote:

> I believe we will find that SIP phones are going to also have this  
> same
> problem.  Many people even give voip a high qos priority : )  Soon  
> there
> will be a VOIP phone on every desk and each will be able to reply  
> back to a
> spoofed IP with a packet larger than 512 bytes... its going to be  
> fun when
> this becomes a more popular attack - NOT.

I would hope most people NAT their phones :)




>
> Sam
>
> ----- Original Message -----
> From: "Sam Norris" <Sam at ChangeIP.com>
> To: "John Kristoff" <jtk at ultradns.com>; <dns- 
> operations at mail.oarc.isc.org>
> Sent: 02/27/2006 10:11 AM
> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>
>
>> Isn't this an issue even if the dns server isn't an open-recursive  
>> but
>> simply listens on port 53?  Sending a packet with a spoofed source  
>> is a
>> problem for ANY udp service.  If open resolvers are all taken off  
>> the net
>> whats to stop the botnets from sending enough queries to the root  
>> servers
>> with spoofed sources to accomplish the same goal?  Sure it takes more
>> packets but ...
>>
>> Why bother testing if its recursive if either way its going to send
>> packets
>> back to a victim?  Sure its a smaller payload but its still an attack
>> vector.
>>
>> Sam
>>
>>
>>
>> ----- Original Message -----
>> From: "John Kristoff" <jtk at ultradns.com>
>> To: <dns-operations at mail.oarc.isc.org>
>> Sent: 02/27/2006 9:30 AM
>> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>>
>>
>>> On Sun, Feb 26, 2006 at 09:23:23AM -0800, william(at)elan.net wrote:
>>>> What is a correct way to verify if dns server is recursive from  
>>>> your
>>>> resolver? Is asking info on your own domain from remote  
>>>> nameserver ok
>>>> for it? What timeout should be used to decide that there was no  
>>>> answer?
>>>
>>> It is possible in some configurations, for example with BIND and an
>>> allow recursion ACL, where generally hosts even outside the ACL will
>>> still receive an answer the server is not authoritative for if it is
>>> cached locally.  So one possible way obvious way around this  
>>> would be
>>> to query for a record with a TTL=0 that the server is not  
>>> authoritative
>>> for.
>>>
>>> John
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.oarci.net
>>> http://lists.oarci.net/mailman/listinfo/dns-operations
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.oarci.net
>> http://lists.oarci.net/mailman/listinfo/dns-operations
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations


Sean Leach - sleach at ultradns.com
Director, Product Development
UltraDNS - www.ultradns.com





More information about the dns-operations mailing list