lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <70f230c70603081455r24a3e3eam6a2f2a2b24fa47a5@mail.gmail.com>
Date: Wed, 8 Mar 2006 15:55:21 -0700
From: "Mark Senior" <senatorfrog@...il.com>
To: gboyce <gboyce@...belly.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	Security Lists <securitylists@...ontown.com>
Subject: Re: Re: recursive DNS servers DDoS as a growing
	DDoSproblem


Correct me if I'm wrong, but I was under the impression that DNS
responses that go over the max size of a UDP datagram won't get split
into multiple UDP datagrams.  Rather, a response with only partial
data will be sent back, and the client has to reconnect over TCP to
get the full data.

RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes
(although it may be old news now that that has been increased).

So, you can send a bunch of source-spoofed requests that are under 100
bytes, and get a bunch of 512 bytes responses.  With the UDP headers,
that would increase the size a little, but not a huge amount.  We're
talking about a traffic amplification of about 10:1 or less.
Respectable, but not enormous.

(Sorry to respond to you twice - I forgot to copy the lists the first time)

Regards
Mark

> Once the first request to the nameservers is made, the object should be
> cached by the nameservers.  Instead of one packet to each server, consider
> a stream of packets to each server.  The recipient will recieve a stream
> of 100K answers with likely only 200K of traffic back to the attackers DNS
> server.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ