Re: recursive DNS servers DDoS as a growing DDoS problem

[v9 <v9 () fakehalo us>]

Here are some dns servers I gathered/scanned during the time I researched
this months ago(that appear to still be up):

68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177

Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. "x").

On Thu, 2 Mar 2006, Gadi Evron wrote:

> v9 () fakehalo us wrote:
> > While you're on the subject of the potentials of DOSing using DNS servers, I noticed several months ago some 
> > possible abuses myself, although I soon lost interest for some reason or another.
> >
> > I noticed that a portion of the worlds DNS servers for some reason or another send back large amounts of duplicate 
> > replies if, and only if, the domain being resolved does not exist.
> >
> > The amount of duplicates seems to range between 2 and 24(in steps of 2, 4, 8, 12, 16, 20 and 24), where each reply 
> > packet is roughly 2.5x(including IP header) larger than the original request(because of the SOA).  So, for example 
> > one request to a DNS server that sends 24 dups back would roughly equal 60x(24*2.5) amplification of data.
>
> This is very interesting. I don't have any idea why that is happeniong
> (yet). Can you share packet captures?