lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 5 Apr 2006 09:13:50 -0400
From: "Geo." <geoincidents@....net>
To: <bugtraq@...urityfocus.com>
Subject: RE: recursive DNS servers DDoS as a growing DDoS problem


> They don't need more servers, just better software.  If you think open
> recursion (DNS DoS amplification) is an issue ISPs can ignore, I suggest
> you look at the history of open SMTP relays and networks
> supporting/allowing directed broadcast.

I'll address the "ignore" part.

I don't think closing recursive dns servers is going to make squat
difference for dns based flooding just like closing SMTP relays didn't make
squat difference for the spam problem. The spam continues to flow today..

Closing SMTP relays solved another problem, server capacity for the ISP, so
it was in their interest to close the relays because it ate up their
bandwidth and mail server capacity.

Has anyone being used for a dns flood noticed they were being used?

As to the issue of dns flooding, it doesn't require open recursive servers.
I can point the whole domain to someone's website without even having a DNS
server of my own simply by using www.domain.com and the target's IP address
as one of the authorative name servers listed with the registrar and target
someone that way. All I need to do then is generate queries for a bunch of
random.domain.com names, I don't even need to spoof, 20,000 bots talking to
their authorized recursive servers should work just fine. Heck for that
matter I don't even need bots, I could just spam the planet and use
bob@...dom.domain.com as the return address. (that might even give the
amplification required)

What is closing an open recursive server going to do for the ISP hosting it?
I haven't heard anyone screaming that these floods were even noticable by
the folks running the recursive dns servers. Where is the motivation for the
ISP, ISP customer, corporation, university, etc. to do anything? Yeah, I
think they can ignore it until someone decides to target them.

Geo.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ