> 8.2. A denial of service attack can be launched by flooding an update
> forwarder with TCP sessions containing updates that the primary
> master server will ultimately refuse due to permission problems.
> This arises due to the requirement that an update forwarder receiving
> a request via TCP use a synchronous TCP session for its forwarding
> operation. The connection management mechanisms of [RFC1035 4.2.2]
> are sufficient to prevent large scale damage from such an attack, but
> not to prevent some queries from going unanswered during the attack.
Newest versions of BIND8 die when secondary DNS authorities (or any other hosts)
shamelessly
ask for zone transfers/updates in a mass amount,although there are some
strongly-defined
acl's. The result is a BIG DoS, rising the load average to Himalaya and blowing up the
dns server.
Bug reported already,with a short and concise (should I say amateurish?) bounce
answer: "Hell, you can DoS
a lot of services that way!". Just imagine DNS1.microsoft.com under heavy assault.What
if the next day
someone finds a good apache DoS and gets rejected ?
Oh,I remembered. Spoofed IP packets are the favourites of the day, you need only to
attack not to
listen to the last whispers of a dying server. You just don't want to be logged,
do you ? :>
> All Dynamic DNS services that I know of are vulnerable .
> I am not going to include code, but it is a trivial task to spoof a packet
> (UDP or TCP) with RR data in the
> format this RFC specifies. In other words, anyone can manipulate RR
> records by sending bogus data
> because the only authentication is IP.
Good old juggernaut should be enough for that >=-). For kiddies it's reccomended to
read RFC's
and assemble packets on their own, there are a lot of packet-assembling tools on the
Net.
--
Stefan Laudat
Data Networks Analyst
ASIT SA
----------------------------------------------------------------
Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777
----------------------------------------------------------------
!07/11 PDP a ni deppart m'I !pleH