lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <E1FLUJF-00030O-N6@libra.cus.cam.ac.uk>
Date: Tue, 21 Mar 2006 00:01:13 +0000
From: Chris Thompson <cet1@....cam.ac.uk>
To: bugtraq@...urityfocus.com
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem


Michael Sierchio <kudzu@...ebras.com> writes:
> 
> Robert Story wrote:
> 
> > VG> In the scenario you describe, I cannot see any actual amplification...
> > 
> > The amplification isn't in the number of hosts responding, but in packet size.
> > A very small DNS request packet results in a huge response packet.
> 
> Are you talking about rogue authoritative servers?  Otherwise, responses
> will be limited to 512 bytes, possibly with the truncation bit set.

Unless it supports EDNS, in which case it may be persuaded to send
larger replies. BIND does currently have "you cannot be serious"
cutoff at 4096 bytes.

The reason that it is more awkward to use the method against
authoritative-only nameservers is that you have to find a large
RRset in the wild (or one that will come with large authority and/or
additional sections in the reply) and then use the authoritative 
nameservers for that RRset, not any old open recursive nameserver 
(or many of them). You cannot craft your own RRset for the purpose. 

But you can still get amplification, certainly.

-- 
Chris Thompson
Email: cet1@....ac.uk


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ