| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Mar 2006 15:55:21 -0700 From: "Mark Senior" <senatorfrog@...il.com> To: gboyce <gboyce@...belly.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, Security Lists <securitylists@...ontown.com> Subject: Re: Re: recursive DNS servers DDoS as a growing DDoSproblem Correct me if I'm wrong, but I was under the impression that DNS responses that go over the max size of a UDP datagram won't get split into multiple UDP datagrams. Rather, a response with only partial data will be sent back, and the client has to reconnect over TCP to get the full data. RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes (although it may be old news now that that has been increased). So, you can send a bunch of source-spoofed requests that are under 100 bytes, and get a bunch of 512 bytes responses. With the UDP headers, that would increase the size a little, but not a huge amount. We're talking about a traffic amplification of about 10:1 or less. Respectable, but not enormous. (Sorry to respond to you twice - I forgot to copy the lists the first time) Regards Mark > Once the first request to the nameservers is made, the object should be > cached by the nameservers. Instead of one packet to each server, consider > a stream of packets to each server. The recipient will recieve a stream > of 100K answers with likely only 200K of traffic back to the attackers DNS > server. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists