Re: recursive DNS servers DDoS as a growing DDoS problem
Here are some dns servers I gathered/scanned during the time I researched
this months ago(that appear to still be up):
68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177
Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. "x").
On Thu, 2 Mar 2006, Gadi Evron wrote:
> v9@xxxxxxxxxxx wrote:
> > While you're on the subject of the potentials of DOSing using DNS servers,
> > I noticed several months ago some possible abuses myself, although I soon
> > lost interest for some reason or another.
> >
> > I noticed that a portion of the worlds DNS servers for some reason or
> > another send back large amounts of duplicate replies if, and only if, the
> > domain being resolved does not exist.
> >
> > The amount of duplicates seems to range between 2 and 24(in steps of 2, 4,
> > 8, 12, 16, 20 and 24), where each reply packet is roughly 2.5x(including IP
> > header) larger than the original request(because of the SOA). So, for
> > example one request to a DNS server that sends 24 dups back would roughly
> > equal 60x(24*2.5) amplification of data.
>
> This is very interesting. I don't have any idea why that is happeniong
> (yet). Can you share packet captures?
>