lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4431ABDF.3020005@hpcisp.com>
Date: Mon, 03 Apr 2006 19:12:31 -0400
From: Jim Pingle <jim@...isp.com>
To: "Geo." <geoincidents@....net>
Cc: bugtraq@...urityfocus.com
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem


Geo. wrote:
>> What is stopping you from running your own local DNS server?
> 
> What is stopping you from running your own SMTP server? A port 25 block?
> Well if an ISP doesn't want to play whack-a-mole with unsecured dns servers
> popping up every day do you not think it likely that they will resort to the
> same techniques they used for smtp?
> 
> Granted a port 53 inbound block would make more sense for the current
> example but just like bots started running their own SMTP engines I see the
> dns flood model changing to fit the new landscape.

We have done just this (block inbound udp/53) to certain subnets due to a
rash of CPEs that happily proxy DNS, including recursive queries, from their
WAN side. They DoS their own circuits more effectively than the intended DoS
targets.

Ingress/Egress filtering did not help because the traffic coming to the name
server was not spoofed to appear like it was coming from our network, it
really was. The attack reflected off of the routers and because they were
local to our name servers, they got replies to the recursive queries despite
our rejecting them from outside our network. And of course once it was
cached, it was open for public queries.

Broken/misconfigured/buggy routers appear to look just like open DNS
servers, and are likely to be much higher in numbers.

Jim



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ