Re: recursive DNS servers DDoS as a growing DDoS problem

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
From: Michael Sierchio <kudzu@xxxxxxxxxxxx>
Date: Fri, 17 Mar 2006 16:37:10 -0800
In-reply-to: <20060314065237.6d43f556@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <44042E72.7010602@xxxxxxxxxxxx> <718d032a0603070926v4f696e33g25b666fa08137eae@xxxxxxxxxxxxxx> <20060314065237.6d43f556@xxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5 (Windows/20051201)

Robert Story wrote:

VG> In the scenario you describe, I cannot see any actual amplification...

The amplification isn't in the number of hosts responding, but in packet size.
A very small DNS request packet results in a huge response packet.


Are you talking about rogue authoritative servers?  Otherwise, responses
will be limited to 512 bytes, possibly with the truncation bit set.

References:
- recursive DNS servers DDoS as a growing DDoS problem
  - From: Gadi Evron
- Re: recursive DNS servers DDoS as a growing DDoS problem
  - From: Ventsislav Genchev
- Re: recursive DNS servers DDoS as a growing DDoS problem
  - From: Robert Story

Prev by Date: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0
Next by Date: RE: Generically Determining the Prescence of Virtual Machines
Previous by thread: Re: recursive DNS servers DDoS as a growing DDoS problem
Next by thread: Re: recursive DNS servers DDoS as a growing DDoS problem
Index(es):
- Date
- Thread