--On den 8 mars 2006 14.58.20 -0500 gboyce <gboyce@xxxxxxxxxxxx> wrote: > On Wed, 8 Mar 2006, Security Lists wrote: > >> Sorry, I don't see this as amplification in your example, because YOUR >> dns servers are 100% of the traffic. 1:1 ratio. > > Once the first request to the nameservers is made, the object should be > cached by the nameservers. Instead of one packet to each server, > consider a stream of packets to each server. The recipient will recieve > a stream of 100K answers with likely only 200K of traffic back to the > attackers DNS server. Now, the proper way to exploit this is to craft a record in a zone you control, that is some 4 kibibytes large, and have the spoofed query use EDNS0 (RFC2671) and advertise a willingness to receive such a large message. Much better payback. This is not anything artificial, it is based on actual attacks. Go and restrict your recursing name servers to answering queries from your own networks -- we are now, and this makes me sad, at a point where SMTP was 1994-5, open relays were at times regarded as a good utility. No such thing today, and I think DNS will take the same route. Do this limitation soon, but with care and afterthought, so as not to create a walled garden. What we do not want is packet filters as a panic measure. We want the end nodes to be sturdy in themselves. Like other spoofing attack countermeasures, this is a measure that will protect your neighbours more than yourselves, so do it for the good of others. -- Måns Nilsson Systems Specialist +46 70 681 7204 cell KTHNOC +46 8 790 6518 office MN1334-RIPE Hello. I know the divorce rate among unmarried Catholic Alaskan females!!
Attachment:
pgpOBqLIF6xRR.pgp
Description: PGP signature