[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060314070445.55dbb791@aud.vb.futz.org>
Date: Tue, 14 Mar 2006 07:04:45 -0500
From: Robert Story <rstory-l@...6.revelstone.com>
To: "Mark Senior" <senatorfrog@...il.com>
Cc: gboyce <gboyce@...belly.com>,
"Security Lists" <securitylists@...ontown.com>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing
DDoSproblem
On Wed, 8 Mar 2006 15:55:21 -0700 Mark wrote:
MS> Correct me if I'm wrong, but I was under the impression that DNS
MS> responses that go over the max size of a UDP datagram won't get split
MS> into multiple UDP datagrams. Rather, a response with only partial
MS> data will be sent back, and the client has to reconnect over TCP to
MS> get the full data.
MS>
MS> RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes
MS> (although it may be old news now that that has been increased).
Exactly. The attackers do use EDNS0 [RFC2671], which allows clients to declare
the maximum size of UDP message they are willing to handle. So the spoofed
packet sets this value to whatever they want.
MS> So, you can send a bunch of source-spoofed requests that are under 100
MS> bytes, and get a bunch of 512 bytes responses.
In the most recent round of attacks, the attackers were using 4k TXT records,
so a 100 byte request is hugely amplified...
Powered by blists - more mailing lists