lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040804205805.GA8394@h8000.serverkompetenz.net>
From: nils at druecke.strg-alt-entf.org (Nils Ketelsen)
Subject: FW: Question for DNS pros

On Wed, Aug 04, 2004 at 11:49:50AM -0700, John Hall wrote:

> It's possible the packets that solicited the traffic were spoofed, but
> it's generally more likely that someone on your network browsed the site
> in the last day or two and you just haven't yet been aged out of the list
> of sites the 3-DNS is keeping track of.

I do not know anyhting about 3-DNS apart from what I read in this thread, so
please excuse me if I get anything wrong or seem to be not understanding:

1. Why do you need to measure metrics for my DNS days after I might have
visited a site?

2. How does this kind of setup scale (imagine everyone did that)?

> >But wouldn't that make 3DNS an amplifier in a DoS attack? I guess it
> >depends on how it is configured. Seems so that, when configured wrong
> >with an overly aggressive configuration, it will respond with a multiple
> >of probes packets to a single spoofed reply.
> Definitely not!  When your DNS server sends a query to 3-DNS, it's added
> to a list of sites to keep metrics for.  The probes used to create those
> metrics are rate limited to one overall attempt to gather data per hour
> regardless of how many times you query the server.  A single data gathering


And if I, for example, spoof DNS requests from each IP-Adress in the /8 of
the organization I dislike?

Or I spoof DNS requests from every IP-Address in 0.0.0.0/0?

Will you then be sending out probe packets for a few days to all these
IP-Adresses? That sounds like a DOS Amplifier to me.


> attempt will try each of its configured probe methods in turn to try and
> get a response, so you should never see more than 6 - 20 packets per hour,
> per group of 3-DNS's.


So worst case:

20 packets per hour times 2^32 possible IP Addresses makes you send out
85899345920 an hour. Not bad. And that is for each of your customers, right?


> I don't think that could be a problem with 3-DNS.  Your time would
> probably better be spent trying to ensure that no reconnassance attempts
> return data that would be useful to an attacker.  I suspect that even
> if every group of 3-DNS's in the world suddenly added you to their probe
> lists, you wouldn't see a significant amount of traffic.  You'd probably
> notice it, but it wouldn't compare with the total amount of other
> unsolicited traffic you receive.

If I happen to have a /8 I might receive 5592405 Probe packets a second per
3-DNS group. I would call that significant.


Nils

-- 
Hast du das auch etwas deutlicher, oder bist du das Orakel von Jena?
      [Joerg Moeller zu Lutz Donnerhacke in de.admin.net-abuse.news]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ