lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 14 Mar 2006 07:04:45 -0500
From: Robert Story <rstory-l@...6.revelstone.com>
To: "Mark Senior" <senatorfrog@...il.com>
Cc: gboyce <gboyce@...belly.com>,
	"Security Lists" <securitylists@...ontown.com>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing
 DDoSproblem


On Wed, 8 Mar 2006 15:55:21 -0700 Mark wrote:
MS> Correct me if I'm wrong, but I was under the impression that DNS
MS> responses that go over the max size of a UDP datagram won't get split
MS> into multiple UDP datagrams.  Rather, a response with only partial
MS> data will be sent back, and the client has to reconnect over TCP to
MS> get the full data.
MS> 
MS> RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes
MS> (although it may be old news now that that has been increased).

Exactly. The attackers do use EDNS0 [RFC2671], which allows clients to declare
the maximum size of UDP message they are willing to handle. So the spoofed
packet sets this value to whatever they want.

MS> So, you can send a bunch of source-spoofed requests that are under 100
MS> bytes, and get a bunch of 512 bytes responses.

In the most recent round of attacks, the attackers were using 4k TXT records,
so a 100 byte request is hugely amplified...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ