Bugtraq mailing list archives
Re: recursive DNS servers DDoS as a growing DDoS problem
From: Stephen Samuel <samuel () bcgreen com>
Date: Mon, 27 Mar 2006 16:43:10 -0800
Geo. wrote:
What feature of DNS is being exploited, UDP or the fact that there are a lot of dns servers you can use?
I think that this is probably a better point than you think. It's almost impossible to change the design of the DNS protocol now but, going foreward, I think that we do need to add to the best-practices list that any UDP based protocol that has an ability to produce packet size amplification, and that is likely to be available to the public (i.e. not firewalled off just on principle) should be modified so that, before large packets get sent back to a client, that the service have some sort of 'hello' type protocol that requires that the initiating machine can prove that it's actually able to receive the packets that it's causing to be produced. Even something as simple as syn cookies would probably make amplification difficult for most attackers. To put it another way: UDP as a purely connectionless protocol is fast becoming a liability in situations where significant amplification is possible. -- Stephen Samuel +1(778)861-7641 samnospam () bcgreen com http://www.bcgreen.com/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.
Current thread:
- Re: recursive DNS servers DDoS as a growing DDoS problem, (continued)
- Re: recursive DNS servers DDoS as a growing DDoS problem Robert Story (Mar 17)
- Re: recursive DNS servers DDoS as a growing DDoS problem Michael Sierchio (Mar 20)
- Re: recursive DNS servers DDoS as a growing DDoS problem Robert Story (Mar 17)
- Re: recursive DNS servers DDoS as a growing DDoS problem Chris Thompson (Mar 23)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Mar 27)
- Re: recursive DNS servers DDoS as a growing DDoS problem MaddHatter (Mar 25)
- Re: recursive DNS servers DDoS as a growing DDoS problem Gadi Evron (Mar 25)
- Re: recursive DNS servers DDoS as a growing DDoS problem Geo. (Mar 27)
- Re: recursive DNS servers DDoS as a growing DDoS problem mike davis (Mar 30)
- Re: recursive DNS servers DDoS as a growing DDoS problem Geo. (Mar 30)
- Re: recursive DNS servers DDoS as a growing DDoS problem gboyce (Mar 30)
- Re: recursive DNS servers DDoS as a growing DDoS problem Stephen Samuel (Mar 30)
- Re: recursive DNS servers DDoS as a growing DDoS problem Gadi Evron (Mar 25)