> 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53: 38545+ [1au] ANY ANY? e.mpisi.com. (40)
204.92.73.10 is one of the IP addresses for irc.efnet.ca. Someone is
spoofing the source addresses, in the hope that DNS servers will
return a large record set.
Could you check if the packets contain OPT records (e.g. using
"tcpdump -s 0 -v")? This protocol extension is described in the RFC
for ENDS0 (RFC 2671). EDNS0-capable DNS resolvers can send fragmented
UDP packets, exceeding the traditional 512 byte limit of DNS UDP
replies. The BIND 9 default maximum response size is 4096, for
example.
If the spoofed requests contain OPT records , you typically get an
amplification factor of about 60 in terms of bandwidth, and 5 in terms
of packet rate, but actual numbers may vary.
Yet another reason to restrict access to your recursive resolvers to
customers only.
> 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53: 38545+ [1au] ANY ANY? e.mpisi.com. (40)
204.92.73.10 is one of the IP addresses for irc.efnet.ca. Someone is
spoofing the source addresses, in the hope that DNS servers will
return a large record set.
Could you check if the packets contain OPT records (e.g. using
"tcpdump -s 0 -v")? This protocol extension is described in the RFC
for ENDS0 (RFC 2671). EDNS0-capable DNS resolvers can send fragmented
UDP packets, exceeding the traditional 512 byte limit of DNS UDP
replies. The BIND 9 default maximum response size is 4096, for
example.
If the spoofed requests contain OPT records , you typically get an
amplification factor of about 60 in terms of bandwidth, and 5 in terms
of packet rate, but actual numbers may vary.
Yet another reason to restrict access to your recursive resolvers to
customers only.
[ reply ]