lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050527142835.GB8009@penguinhosting.net>
Date: Fri May 27 15:28:45 2005
From: ian-fulldisclosure at penguinhosting.net (Ian Gulliver)
Subject: DNS Smurf revisited

DNS smurf is old news:

http://www.s0ftpj.org/docs/spj-002-000.txt
http://www.ciac.org/ciac/bulletins/j-063.shtml

However, as ISPs continue to operate networks that let spoofed packets
out this issue deserves a little publicity again.

10:17:07.641061 IP (tos 0x0, ttl  64, id 46429, offset 0, flags [DF], length: 49) XXXXXXXXXXXXX.44295 > c.gtld-servers.net.domain: [udp sum ok]  18297 ANY? org. (21)
10:17:07.673800 IP (tos 0x0, ttl  43, id 0, offset 0, flags [DF], length: 468) c.gtld-servers.net.domain > XXXXXXXXXXXXX.44295: 18297- 0/13/13 (440)

% echo "2 k 468 49 / p" | dc
9.55

That's a 9.5X amplification of outgoing traffic; you can probably break
10X with a little more work on the query and nameserver choices.


SOLUTIONS
---------

ISPs: Drop outgoing packets that don't originate from within your
network.  You should already be doing this, as it stops a variety of
other attacks.

NS operators: Ratelimit?


Attached is a modernized proof of concept.

-- 
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnos.c
Type: text/x-csrc
Size: 8783 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050527/56a74fd4/dnos.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050527/56a74fd4/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ