Bugtraq mailing list archives
Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem
From: Robert Story <rstory-l () 2006 revelstone com>
Date: Tue, 14 Mar 2006 07:04:45 -0500
On Wed, 8 Mar 2006 15:55:21 -0700 Mark wrote: MS> Correct me if I'm wrong, but I was under the impression that DNS MS> responses that go over the max size of a UDP datagram won't get split MS> into multiple UDP datagrams. Rather, a response with only partial MS> data will be sent back, and the client has to reconnect over TCP to MS> get the full data. MS> MS> RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes MS> (although it may be old news now that that has been increased). Exactly. The attackers do use EDNS0 [RFC2671], which allows clients to declare the maximum size of UDP message they are willing to handle. So the spoofed packet sets this value to whatever they want. MS> So, you can send a bunch of source-spoofed requests that are under 100 MS> bytes, and get a bunch of 512 bytes responses. In the most recent round of attacks, the attackers were using 4k TXT records, so a 100 byte request is hugely amplified...
Current thread:
- RE: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Geo. (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Security Lists (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem gboyce (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Mark Senior (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Robert Story (Mar 17)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Bram Matthys (Syzop) (Mar 20)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Tim (Mar 23)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem gboyce (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Security Lists (Mar 10)
- Re: [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoSproblem Måns Nilsson (Mar 17)