[dns-operations] DNS deluge for x.p.ctrc.cc
Sam Norris
Sam at ChangeIP.com
Mon Feb 27 18:47:11 UTC 2006
Funny thing is that SIP doesn't work with NAT very well so most people just
open up a 1:1 to their phone... I'm guessing there are at least as many
vonage adapters out there as open dns resolvers... (I'm just pulling that
comparison out of my ass - so if I'm wrong don't shoot me).
The problem lies in UDP spoofing not the DNS protocol itself.
Sam
----- Original Message -----
From: "Sean Leach" <sleach at ultradns.com>
To: "Sam Norris" <Sam at ChangeIP.com>
Cc: <dns-operations at mail.oarc.isc.org>
Sent: 02/27/2006 10:40 AM
Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>
> On Feb 27, 2006, at 10:38 AM, Sam Norris wrote:
>
>> I believe we will find that SIP phones are going to also have this same
>> problem. Many people even give voip a high qos priority : ) Soon there
>> will be a VOIP phone on every desk and each will be able to reply back
>> to a
>> spoofed IP with a packet larger than 512 bytes... its going to be fun
>> when
>> this becomes a more popular attack - NOT.
>
> I would hope most people NAT their phones :)
>
>
>
>
>>
>> Sam
>>
>> ----- Original Message -----
>> From: "Sam Norris" <Sam at ChangeIP.com>
>> To: "John Kristoff" <jtk at ultradns.com>; <dns-
>> operations at mail.oarc.isc.org>
>> Sent: 02/27/2006 10:11 AM
>> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>>
>>
>>> Isn't this an issue even if the dns server isn't an open-recursive but
>>> simply listens on port 53? Sending a packet with a spoofed source is a
>>> problem for ANY udp service. If open resolvers are all taken off the
>>> net
>>> whats to stop the botnets from sending enough queries to the root
>>> servers
>>> with spoofed sources to accomplish the same goal? Sure it takes more
>>> packets but ...
>>>
>>> Why bother testing if its recursive if either way its going to send
>>> packets
>>> back to a victim? Sure its a smaller payload but its still an attack
>>> vector.
>>>
>>> Sam
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "John Kristoff" <jtk at ultradns.com>
>>> To: <dns-operations at mail.oarc.isc.org>
>>> Sent: 02/27/2006 9:30 AM
>>> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>>>
>>>
>>>> On Sun, Feb 26, 2006 at 09:23:23AM -0800, william(at)elan.net wrote:
>>>>> What is a correct way to verify if dns server is recursive from your
>>>>> resolver? Is asking info on your own domain from remote nameserver ok
>>>>> for it? What timeout should be used to decide that there was no
>>>>> answer?
>>>>
>>>> It is possible in some configurations, for example with BIND and an
>>>> allow recursion ACL, where generally hosts even outside the ACL will
>>>> still receive an answer the server is not authoritative for if it is
>>>> cached locally. So one possible way obvious way around this would be
>>>> to query for a record with a TTL=0 that the server is not
>>>> authoritative
>>>> for.
>>>>
>>>> John
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.oarci.net
>>>> http://lists.oarci.net/mailman/listinfo/dns-operations
>>>
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.oarci.net
>>> http://lists.oarci.net/mailman/listinfo/dns-operations
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.oarci.net
>> http://lists.oarci.net/mailman/listinfo/dns-operations
>
>
> Sean Leach - sleach at ultradns.com
> Director, Product Development
> UltraDNS - www.ultradns.com
>
>
>
More information about the dns-operations
mailing list