|
|
BugTraq
Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Mar 08 2006 10:55PM Mark Senior (senatorfrog gmail com) (1 replies) Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Mar 14 2006 12:04PM Robert Story (rstory-l 2006 revelstone com) (1 replies) Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Mar 18 2006 02:26AM Bram Matthys (Syzop) (syzop vulnscan org) (1 replies) |
|
Privacy Statement |
> Indeed, interesting. I was not aware of this feature.
>
> But let's get to the point.. why is "recursive" in this email subject? It
> doesn't need to have anything to do with recursive DNS.. you can exploit this
> on normal public authoritative nameservers as well.
You can certainly get amplification from servers that don't provide you
recursion, but you can get more if they do. For instance, if the
attacker wants to attack servers at example.com, he could send a query
to recursive.example.org for a large record that exists under
example.com. He would of course spoof the source address of this
request as if it came from some IP owned by example.com. Thus the
traffic looks like:
Attacker(spoofed) --query for bigrecord.example.com--> recursive.example.org
recursive.example.org --query for bigrecord.example.com--> ns.example.com
ns.example.com --response for bigrecord.example.com--> recursive.example.org
recursive.example.org --response for bigrecord.example.com--> spoofed
Where 'spoofed' is some IP at example.com. So now example.com not only
receives a large record, their DNS server has to dish it out first.
This assumes they host some large record there.
cheers,
tim
[ reply ]