lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 29 Nov 2005 17:42:50 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: "Piotr Kamisiski" <rotunda@....krakow.pl>
Cc: bugtraq@...urityfocus.com
Subject: Re: DNS query spam


* Piotr Kamisiski:

> 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53:  38545+ [1au] ANY ANY? e.mpisi.com. (40)


204.92.73.10 is one of the IP addresses for irc.efnet.ca.  Someone is
spoofing the source addresses, in the hope that DNS servers will
return a large record set.

Could you check if the packets contain OPT records (e.g. using
"tcpdump -s 0 -v")?  This protocol extension is described in the RFC
for ENDS0 (RFC 2671).  EDNS0-capable DNS resolvers can send fragmented
UDP packets, exceeding the traditional 512 byte limit of DNS UDP
replies.  The BIND 9 default maximum response size is 4096, for
example.

If the spoofed requests contain OPT records , you typically get an
amplification factor of about 60 in terms of bandwidth, and 5 in terms
of packet rate, but actual numbers may vary.

Yet another reason to restrict access to your recursive resolvers to
customers only.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ