[dns-operations] odd nxdomain behaviour (reported on bugtraq today)
Mark_Andrews at isc.org
Thu Mar 2 05:57:56 UTC 2006
> On Thu, 2 Mar 2006, Paul Vixie wrote:
> > fpdns is uninformative in this case.
> > fingerprint (220.127.116.11, 18.104.22.168): No match found
> > anybody know more about this net or its nameservers? they are a example of
> > a disturbingly large set of similarly-behaving nameservers, and the
> > implications on spoofed-source dns amplification is somewhat alarming.
> I had a couple of speculations when I first saw this earlier today. My
> first guess was maybe some kind of problem with a router/"DDoS prevention"
> device/some such on the path. I don't know how one would verify that,
> though. The version.bind response for this server claims it's BIND
> 9.2.5, but as you pointed out, the fingerprint is inconclusive, and I
> assume Mark will chime in if this is, in fact, a known bug in older BIND
Not as far as I am aware.
> I'd love to see a wider study of where this can be found in the wild, it
> might help nail down a pattern. The small list of sources in the posts
> I've seen about it so far make that very difficult. In my testing the
> responses were bit-for-bit identical, which really made me think some kind
> of problem at a layer below the application - almost like something was
> applying TCP-like retry behaviors to UDP.
With Paul's source the ip id varies per / packet so it is unlikely
to be replication at the ip level. The rest of the packet other
than the checksums won't vary and I wouldn't expect them to vary.
> Tim Wilde
> twilde at dyndns.com
> Systems Administrator
> Dynamic Network Services, Inc.
> dns-operations mailing list
> dns-operations at lists.oarci.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations