lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4428869E.2020800@bcgreen.com>
Date: Mon, 27 Mar 2006 16:43:10 -0800
From: Stephen Samuel <samuel@...reen.com>
To: "Geo." <geoincidents@....net>
Cc: bugtraq@...urityfocus.com
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem


Geo. wrote:
> What feature of DNS is being exploited, UDP or the fact that there are a lot
> of dns servers you can use?
>   
I think that this is probably a better point than you think.
It's almost impossible to change the design of the DNS
protocol now but, going foreward, I think that we do
need to add to the best-practices list that any UDP based
protocol that has an ability to produce packet size
amplification, and that is likely to be available to the
public  (i.e. not firewalled off just on principle) should
be modified so that, before large packets get sent
back to a client, that the service have some sort of 'hello'
type protocol that requires that the initiating machine
can prove that it's actually able to receive the packets
that it's causing to be produced.  Even something as
simple as syn cookies would probably make amplification
difficult for most attackers.

To put it another way: UDP as a purely connectionless
protocol is fast becoming a liability in situations where
significant amplification is possible.


-- 
Stephen Samuel +1(778)861-7641             samnospam@...reen.com
		   http://www.bcgreen.com/
   Powerful committed communication. Transformation touching
     the jewel within each person and bringing it to light.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ