[dns-operations] DNS deluge for x.p.ctrc.cc

Ejay Hire ejay.hire at isdn.net
Wed Mar 1 16:59:18 UTC 2006 

Hello.

If the ISP fixes their DNS servers to restrict the Ips for
which they answer recursive queries, then those fixed DNS
servers will ignore the spoofed request because the spoofed
request appears to come from an IP that hey do not serve.

I.e.  To attack my router, joe sends this packet to a random
dns server

From: MY.IP.AD.DR To: DNS.SRVR query all x.p.ctrc.cc

The dns server looks up MY.IP.AD.DR in it's recursive permit
list, finds it isn't there and ignores the request.

-ejay

> -----Original Message-----
> From: dns-operations-bounces at lists.oarci.net 
> [mailto:dns-operations-bounces at lists.oarci.net] On Behalf
Of Geo.
> Sent: Wednesday, March 01, 2006 10:55 AM
> To: dns-operations at mail.oarc.isc.org
> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
> 
> 
> > all recursive servers should be configured to only
answer local
> > IP's, or their
> > firewalls should enforce this.  it's this openness, and
not 
> the relative
> > locations of the bots vs. the recursive servers, that
i'm arguing
> > be fixed.
> 
> We seem to not be communicating very well.
> 
> Lets say this is instantly fixed tomorrow, presto all
ISP's 
> and corporations
> set their firewalls so that recursive DNS is only
available to local
> clients. Lets also assume that all ISP's have fixed it so 
> they are running
> ingress/egress filters at their backbone routers making
non 
> local spoofing a
> thing of the past. Ok the world is wonderful right? Wrong!
> 
> Now the bots will simply spoof on the inside ISP network
and 
> use the local
> dns servers. The way to stop that is to run a firewall
between the dns
> servers and their local clients (something almost nobody
is 
> going to do) or
> put *gress filters on every router (which isn't even
possible in some
> cases). And it's at this point everyone will realize this 
> isn't going to get
> fixed.
> 
> So if forcing recursive DNS servers to only serve local 
> clients isn't going
> to fix this, they why should we give up such nice 
> functionality, a tool for
> troubleshooting, for what gain should we dispose of this
capability?
> 
> We need a better solution, dns rate limiting (like the
ping 
> flood solution)
> perhaps?
> 
> Geo.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
>

More information about the dns-operations mailing list