[dns-operations] more DDoS trouble in DNS land?
Gadi Evron
ge at linuxbox.org
Thu Mar 2 00:55:31 UTC 2006
As a reply to my latest bugtraq post, v9 emailed this:
[as bugtraq is as public as one can get, I see no reason to keep this
private]
-----
While you’re on the subject of the potentials of DOSing using DNS
servers, I noticed several months ago some possible abuses myself,
although I soon lost interest for some reason or another.
I noticed that a portion of the worlds DNS servers for some reason
or another send back large amounts of duplicate replies if, and only if,
the domain being resolved does not exist.
The amount of duplicates seems to range between 2 and 24(in steps
of 2, 4, 8, 12, 16, 20 and 24), where each reply packet is roughly
2.5x(including IP header) larger than the original request(because of
the SOA). So, for example one request to a DNS server that sends 24 dups
back would roughly equal 60x(24*2.5) amplification of data.
an example of a random server I found while scanning(12 dups from
one request):
————————————————-term1# host x 68.1.2.3
…
term2# /usr/sbin/tcpdump -n src 68.1.2.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
00:04:58.459356 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:04:58.481281 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:04:58.514411 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:01.459157 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:01.478706 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:01.512249 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:04.459512 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:04.480542 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:04.512085 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:07.458823 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:07.477374 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
00:05:07.511919 IP 68.1.2.3.53 > xxx.xxx.xxx.xxx.1865: 62623
NXDomain 0/1/0 (94)
————————————————-
At the time I noticed this I decided to create a scanner to find
out how many DNS servers are susceptible to this, I found no shortage. I
ran it only for a few hours starting at 68.0.0.1 and found hundreds of
DNS servers that sent back dup replies(mostly 12 and 8 dups).
I also created a DOS tool to test the theory at the time, but I see
no reason to post that.
I still don’t know the cause of this, just figured I would attach
it on this subject for someone to decypher.
For anyone interested in the scanner, which is light on documentation:
http://fakehalo.us/dnsdbd-gp.c
http://fakehalo.us/dnsdbd.c
(the -gp.c version simply stores the ip of the dns server in
character form so its easier to read by human eyes)
-----
And when asked about packet captures, as I have no idea what might cause
that (YET):
-----
Here are some dns servers I gathered/scanned during the time I
researched
this months ago(that appear to still be up):
68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177
Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. “x”).
-----
I spent some time on this, and I can’t come up with a simple explanation
as to why it would be doing that, if this report is true. What would
generate these packets? Apparently, being large does’t help much as
that’s how NXDOMAIN works?
Gadi.
More information about the dns-operations
mailing list