Re: DNS query spam

To: "Piotr Kamisiski" <rotunda@xxxxxxxxxxxxx>
Subject: Re: DNS query spam
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Date: Tue, 29 Nov 2005 17:42:50 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.63.0511272319350.14403@xxxxxxxxxxxxxxxxx> (Piotr Kamisiski's message of "Sun, 27 Nov 2005 23:30:21 +0100 (CET)")
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.63.0511272319350.14403@xxxxxxxxxxxxxxxxx>

* Piotr Kamisiski:

> 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53:  38545+ [1au] ANY 
> ANY? e.mpisi.com. (40)


204.92.73.10 is one of the IP addresses for irc.efnet.ca.  Someone is
spoofing the source addresses, in the hope that DNS servers will
return a large record set.

Could you check if the packets contain OPT records (e.g. using
"tcpdump -s 0 -v")?  This protocol extension is described in the RFC
for ENDS0 (RFC 2671).  EDNS0-capable DNS resolvers can send fragmented
UDP packets, exceeding the traditional 512 byte limit of DNS UDP
replies.  The BIND 9 default maximum response size is 4096, for
example.

If the spoofed requests contain OPT records , you typically get an
amplification factor of about 60 in terms of bandwidth, and 5 in terms
of packet rate, but actual numbers may vary.

Yet another reason to restrict access to your recursive resolvers to
customers only.

Follow-Ups:
- Re: DNS query spam
  - From: Jim Pingle
- Re: DNS query spam
  - From: Piotr Kamisiski

References:
- DNS query spam
  - From: Piotr Kamisiski

Prev by Date: Re: Re: - Cisco IOS HTTP Server code injection/execution vulnerability-
Next by Date: Re: Xaraya <= 1.0.0 RC4 D.O.S / file corruption
Previous by thread: Re: DNS query spam
Next by thread: Re: DNS query spam
Index(es):
- Date
- Thread