|
|
BugTraq
recursive DNS servers DDoS as a growing DDoS problem Feb 28 2006 11:05AM Gadi Evron (ge linuxbox org) (2 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 25 2006 09:40AM MaddHatter maddhatt+bugtraq (at) cat.pdx (dot) edu [email concealed] (maddhatt+bugtraq cat pdx edu) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 25 2006 04:06PM Gadi Evron (ge linuxbox org) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 26 2006 04:34PM Geo. (geoincidents nls net) (3 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 28 2006 12:43AM Stephen Samuel (samuel bcgreen com) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 31 2006 01:27AM Paul Stepowski (p stepowski qut edu au) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 27 2006 11:42PM gboyce (gboyce badbelly com) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 27 2006 11:27PM mike davis (phar stonedcoder org) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 28 2006 03:09AM Geo. (geoincidents nls net) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 07 2006 05:26PM Ventsislav Genchev (vigour1 gmail com) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 14 2006 11:52AM Robert Story (rstory-l 2006 revelstone com) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Mar 18 2006 12:37AM Michael Sierchio (kudzu tenebras com) |
|
Privacy Statement |
> The flood is a flood of answers not queries, you spoof the source address of
> a query with the address of your target, the target gets the response from
> the dns server. A cache on the dns server just makes it a more efficient
> response.
Queries are bad enough. This can be played with from any point in the
chain. I.e. from the amount of querying clients, the number of so-called
"relaying servers", possible /effective/ amplification and the size of
the TXT SOA record.
Increase any of these and you somewhat increase the attack if one of the
others is controlled. So treating just one is not really a solution.
We provided with an equation of sort to this effect in the paper we
pre-released for the community when the FUD started (was supposed to
eventually be an academic paper):
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
Yes, in my opinion recursion should be put under better control, but
it's what-a-mole all over again if we do it by running after servers.
The problem here (if we are to ignore just for a moment other UDP/DNS
attacks) is with the attack vector - spoofing.
Many networks today allow spoofing.
Should recursion by default be disabled? Yes. Is it a problem when done
insecurely? Yes. Is it what we should run after on the "client-side"
servers? No, or maybe not Yes but not Only.
> I have not seen a perfect solution yet, at best the solutions I've seen
> mentioned eliminate this one flood vector. I would suggest that when
> considering which one to choose we look at what we lose with each choice.
> Eliminate spoofing and you lose virtually nothing, eliminate open recursive
I am with you so far. Spoofing is not the only problem of the Internet
by far, but is is a problem mostly ignored thus far as it was not
actively exploited *sniff*
> servers and you have just created a really powerful control mechanism for
> entities to control large sections of the internet since folks from those
> sections won't be able to use anyone else's DNS servers or even run their
> own (much like port 25 blocking limits who can run a mail server today). He
> who controls dns controls the network.
Is this like when you brought up Government conspiracies in this regard
on another list?
I can understand discussion going on with different lists, I sin with
that myself recently. There were no direct lists to handle DNS or
botnets issues until not long ago, still - should we just skip a list
whenever you are disagreed with?
Gadi.
[ reply ]