lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0603271836012.22945@localhost.localdomain>
Date: Mon, 27 Mar 2006 18:42:45 -0500 (EST)
From: gboyce <gboyce@...belly.com>
To: bugtraq@...urityfocus.com
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem


On Sun, 26 Mar 2006, Geo. wrote:

>> Spoofing is indeed the attack vector and it can also be utilized for
>> NTP, ICMP, etc. It is to blame.
>>
>> Still, DNS is what's being exploited and in my opinion a broken feature
>> being exploited needs fixing, or it will be exploited.
>
> What feature of DNS is being exploited, UDP or the fact that there are a lot
> of dns servers you can use?
>
> If you have a 20,000 bot botnet and each bot has 2 defined recursive dns
> servers that it is allowed to use and these bots are on the local subnet (ie
> BCP38 is implimented at the gateway but not at every router) then how
> exactly is locking down recursive servers so you can only use yours going to
> solve anything?

Right now you don't need the 20,000 bot botnet.  You can find plenty of 
recursive nameservers to send large responses to your victim.  Even if we 
moved to a state where a 20,000 bot botnet could take you down, that's 
still better than anyone on a cable modem can take you down.

However, properly fixed the 20,000 bot botnet isn't able to perform this 
sort of attack unless all 20,000 bots are on your ISPs network.

Each bot has 2 nameservers.  Properly configured, those nameservers should 
only send responses to the customers of the ISP in question (this would 
require dns server changes, not firewall rules blocking the requests).

If the victim of the attack is not on the list of allowed clients, then 
the bot would send the request to its own nameservers, and the nameservers 
would refuse to respond since the victim is not an allowed IP.

Greg


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ