[dns-operations] DNS deluge for x.p.ctrc.cc

Sam Norris Sam at ChangeIP.com
Mon Feb 27 18:47:11 UTC 2006 

Funny thing is that SIP doesn't work with NAT very well so most people just 
open up a 1:1 to their phone...  I'm guessing there are at least as many 
vonage adapters out there as open dns resolvers...  (I'm just pulling that 
comparison out of my ass - so if I'm wrong don't shoot me).

The problem lies in UDP spoofing not the DNS protocol itself.

Sam

----- Original Message ----- 
From: "Sean Leach" <sleach at ultradns.com>
To: "Sam Norris" <Sam at ChangeIP.com>
Cc: <dns-operations at mail.oarc.isc.org>
Sent: 02/27/2006 10:40 AM
Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc


>
> On Feb 27, 2006, at 10:38 AM, Sam Norris wrote:
>
>> I believe we will find that SIP phones are going to also have this  same
>> problem.  Many people even give voip a high qos priority : )  Soon  there
>> will be a VOIP phone on every desk and each will be able to reply  back 
>> to a
>> spoofed IP with a packet larger than 512 bytes... its going to be  fun 
>> when
>> this becomes a more popular attack - NOT.
>
> I would hope most people NAT their phones :)
>
>
>
>
>>
>> Sam
>>
>> ----- Original Message -----
>> From: "Sam Norris" <Sam at ChangeIP.com>
>> To: "John Kristoff" <jtk at ultradns.com>; <dns- 
>> operations at mail.oarc.isc.org>
>> Sent: 02/27/2006 10:11 AM
>> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>>
>>
>>> Isn't this an issue even if the dns server isn't an open-recursive  but
>>> simply listens on port 53?  Sending a packet with a spoofed source  is a
>>> problem for ANY udp service.  If open resolvers are all taken off  the 
>>> net
>>> whats to stop the botnets from sending enough queries to the root 
>>> servers
>>> with spoofed sources to accomplish the same goal?  Sure it takes more
>>> packets but ...
>>>
>>> Why bother testing if its recursive if either way its going to send
>>> packets
>>> back to a victim?  Sure its a smaller payload but its still an attack
>>> vector.
>>>
>>> Sam
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "John Kristoff" <jtk at ultradns.com>
>>> To: <dns-operations at mail.oarc.isc.org>
>>> Sent: 02/27/2006 9:30 AM
>>> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>>>
>>>
>>>> On Sun, Feb 26, 2006 at 09:23:23AM -0800, william(at)elan.net wrote:
>>>>> What is a correct way to verify if dns server is recursive from  your
>>>>> resolver? Is asking info on your own domain from remote  nameserver ok
>>>>> for it? What timeout should be used to decide that there was no 
>>>>> answer?
>>>>
>>>> It is possible in some configurations, for example with BIND and an
>>>> allow recursion ACL, where generally hosts even outside the ACL will
>>>> still receive an answer the server is not authoritative for if it is
>>>> cached locally.  So one possible way obvious way around this  would be
>>>> to query for a record with a TTL=0 that the server is not 
>>>> authoritative
>>>> for.
>>>>
>>>> John
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.oarci.net
>>>> http://lists.oarci.net/mailman/listinfo/dns-operations
>>>
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.oarci.net
>>> http://lists.oarci.net/mailman/listinfo/dns-operations
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.oarci.net
>> http://lists.oarci.net/mailman/listinfo/dns-operations
>
>
> Sean Leach - sleach at ultradns.com
> Director, Product Development
> UltraDNS - www.ultradns.com
>
>
>

More information about the dns-operations mailing list