lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Nov 2005 17:57:41 +0100 (CET)
From: "Piotr Kamisiski" <rotunda@....krakow.pl>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: DNS query spam


Hello

Thanks for your response.

The requests don't contain OPT records, but the data I've analysed doesn't 
cover the most intense attacks. Today has been particularly quiet. I'll 
wait to accumulate more data.

On Tue, 29 Nov 2005, Florian Weimer wrote:

> * Piotr Kamisiski:
>
>> 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53:  38545+ [1au] ANY ANY? e.mpisi.com. (40)
>
>
> 204.92.73.10 is one of the IP addresses for irc.efnet.ca.  Someone is
> spoofing the source addresses, in the hope that DNS servers will
> return a large record set.
>
> Could you check if the packets contain OPT records (e.g. using
> "tcpdump -s 0 -v")?  This protocol extension is described in the RFC
> for ENDS0 (RFC 2671).  EDNS0-capable DNS resolvers can send fragmented
> UDP packets, exceeding the traditional 512 byte limit of DNS UDP
> replies.  The BIND 9 default maximum response size is 4096, for
> example.
>
> If the spoofed requests contain OPT records , you typically get an
> amplification factor of about 60 in terms of bandwidth, and 5 in terms
> of packet rate, but actual numbers may vary.
>
> Yet another reason to restrict access to your recursive resolvers to
> customers only.
>


Best regards,
Piotr KamisiƄski

Powered by blists - more mailing lists