<<< Date Index >>>     <<< Thread Index >>>

Re: recursive DNS servers DDoS as a growing DDoS problem



Here are some dns servers I gathered/scanned during the time I researched
this months ago(that appear to still be up):

68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177

Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. "x").

On Thu, 2 Mar 2006, Gadi Evron wrote:

> v9@xxxxxxxxxxx wrote:
> > While you're on the subject of the potentials of DOSing using DNS servers, 
> > I noticed several months ago some possible abuses myself, although I soon 
> > lost interest for some reason or another.
> >
> > I noticed that a portion of the worlds DNS servers for some reason or 
> > another send back large amounts of duplicate replies if, and only if, the 
> > domain being resolved does not exist.
> >
> > The amount of duplicates seems to range between 2 and 24(in steps of 2, 4, 
> > 8, 12, 16, 20 and 24), where each reply packet is roughly 2.5x(including IP 
> > header) larger than the original request(because of the SOA).  So, for 
> > example one request to a DNS server that sends 24 dups back would roughly 
> > equal 60x(24*2.5) amplification of data.
>
> This is very interesting. I don't have any idea why that is happeniong
> (yet). Can you share packet captures?
>