<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem



Sorry, I don't see this as amplification in your example, because YOUR dns servers are 100% of the traffic. 1:1 ratio.

Now, if you get the world to cache your text records, and have THEM flood with source-spoofed UDP (unrelated to the victim's DNS servers), that'd work, and is actually a good example of amplification. There's plenty of open DNS servers out there that'll do this, but each one of them is going to hit your local dns server initially.

-Mark Coleman


Geo. wrote:
In the scenario you describe, I cannot see any actual amplification...

I'll give you a senario where you can see.

lets say you have 2 name servers that are local to you.

I setup a domain, example.com. In this domain I create a text record which is 
100K in length, I don't know, perhaps I paste the source code to decss in it, 
whatever it's a big text record.

Now I simply spoof a UDP packet using your IP address as the source address and 
send it to both of your dns servers. This packet is a query for the example.com 
text record. I have now sent two very small packets and you have received 200K 
of traffic. That's the amplification, one small udp packet, one large text 
record in return.

Note, I don't have to use your local servers, but this way it makes it more fun 
to troubleshoot because it looks like you are the cause of your own flooding..

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/