lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0603011926340.23477@localhost>
Date: Wed, 1 Mar 2006 19:34:09 -0500 (EST)
From: v9 <v9@...ehalo.us>
To: Gadi Evron <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem


Here are some dns servers I gathered/scanned during the time I researched
this months ago(that appear to still be up):

68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177

Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. "x").

On Thu, 2 Mar 2006, Gadi Evron wrote:

> v9@...ehalo.us wrote:
> > While you're on the subject of the potentials of DOSing using DNS servers, I noticed several months ago some possible abuses myself, although I soon lost interest for some reason or another.
> >
> > I noticed that a portion of the worlds DNS servers for some reason or another send back large amounts of duplicate replies if, and only if, the domain being resolved does not exist.
> >
> > The amount of duplicates seems to range between 2 and 24(in steps of 2, 4, 8, 12, 16, 20 and 24), where each reply packet is roughly 2.5x(including IP header) larger than the original request(because of the SOA).  So, for example one request to a DNS server that sends 24 dups back would roughly equal 60x(24*2.5) amplification of data.
>
> This is very interesting. I don't have any idea why that is happeniong
> (yet). Can you share packet captures?
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ