On Wed, 8 Mar 2006 15:55:21 -0700 Mark wrote:
MS> Correct me if I'm wrong, but I was under the impression that DNS
MS> responses that go over the max size of a UDP datagram won't get split
MS> into multiple UDP datagrams. Rather, a response with only partial
MS> data will be sent back, and the client has to reconnect over TCP to
MS> get the full data.
MS>
MS> RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes
MS> (although it may be old news now that that has been increased).
Exactly. The attackers do use EDNS0 [RFC2671], which allows clients to declare
the maximum size of UDP message they are willing to handle. So the spoofed
packet sets this value to whatever they want.
MS> So, you can send a bunch of source-spoofed requests that are under 100
MS> bytes, and get a bunch of 512 bytes responses.
In the most recent round of attacks, the attackers were using 4k TXT records,
so a 100 byte request is hugely amplified...
MS> Correct me if I'm wrong, but I was under the impression that DNS
MS> responses that go over the max size of a UDP datagram won't get split
MS> into multiple UDP datagrams. Rather, a response with only partial
MS> data will be sent back, and the client has to reconnect over TCP to
MS> get the full data.
MS>
MS> RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes
MS> (although it may be old news now that that has been increased).
Exactly. The attackers do use EDNS0 [RFC2671], which allows clients to declare
the maximum size of UDP message they are willing to handle. So the spoofed
packet sets this value to whatever they want.
MS> So, you can send a bunch of source-spoofed requests that are under 100
MS> bytes, and get a bunch of 512 bytes responses.
In the most recent round of attacks, the attackers were using 4k TXT records,
so a 100 byte request is hugely amplified...
[ reply ]