lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 4 Apr 2006 08:32:29 -0400
From: "Geo." <geoincidents@....net>
To: <bugtraq@...urityfocus.com>
Subject: RE: recursive DNS servers DDoS as a growing DDoS problem


> We have done just this (block inbound udp/53) to certain subnets due to a
> rash of CPEs that happily proxy DNS, including recursive queries,
> from their WAN side.

What devices? Is this a default or something customers are configuring?

> Ingress/Egress filtering did not help because the traffic coming
> to the name server was not spoofed to appear like it was coming from our
network, it
> really was.

Ingress/Egress filtering really needs to be addressed by router
manufacturers so it's a default when the router is configured. If every dsl
router did *gress filtering most of the spoofing issues would go away
overnight. It's the same sort of thing as Exchange finally installing with
relay disabled or the patch for smurf ping replies.

In the case where a router is located someplace that *gress filtering just
isn't a viable option the people configuring those routers should be smart
enough to be able to figure out how to disable it so enabled by default
really should not be a change that is an issue for router manufacturers.

Geo.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ