lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060320172505.GL4451@sentinelchicken.org>
Date: Mon, 20 Mar 2006 12:25:05 -0500
From: Tim <tim-security@...tinelchicken.org>
To: "Bram Matthys (Syzop)" <syzop@...nscan.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem


Hello,

> Indeed, interesting. I was not aware of this feature.
> 
> But let's get to the point.. why is "recursive" in this email subject? It
> doesn't need to have anything to do with recursive DNS.. you can exploit this
> on normal public authoritative nameservers as well.

You can certainly get amplification from servers that don't provide you
recursion, but you can get more if they do.  For instance, if the
attacker wants to attack servers at example.com, he could send a query
to recursive.example.org for a large record that exists under
example.com.  He would of course spoof the source address of this
request as if it came from some IP owned by example.com.  Thus the
traffic looks like:


Attacker(spoofed) --query for bigrecord.example.com--> recursive.example.org

recursive.example.org --query for bigrecord.example.com--> ns.example.com

ns.example.com --response for bigrecord.example.com--> recursive.example.org

recursive.example.org --response for bigrecord.example.com--> spoofed


Where 'spoofed' is some IP at example.com.  So now example.com not only
receives a large record, their DNS server has to dish it out first.
This assumes they host some large record there.

cheers,
tim


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ