Re: [Openvas-discuss] DNS Amplification Attacks

Fri, 01 Aug 2014 03:10:37 -0700 


Am 01.08.2014 um 11:31 schrieb Michael Meyer:
> *** Reindl Harald wrote:
>> Am 01.08.2014 um 11:15 schrieb Michael Meyer:
>>> *** Reindl Harald wrote:
>>>>
>>>> Name: DNS Amplification Attacks
>>>> Konfiguration:     
>>>> Familie: Denial of Service
>>>> OID: 1.3.6.1.4.1.25623.1.0.103718
>>>> Version: $Revision: 11 $
>>>>
>>>> i doubt
>>>>
>>>> named.conf:
>>>> rate-limit
>>>> {
>>>>  responses-per-second 10;
>>>>  window               5;
>>>> };
>>>
>>> How many bytes have the request and how many bytes the response? The
>>> NVT will tell you that. The NVT should only report if the response len
>>> is > "request_len*2"
>>
>> looking at the override and see TCP makes me believe that
>> is the problem, interesting that it is only reported on
>> one out of 4 dns-servers
>> Port: 53/tcp
> 
> Thats a bug in the NVT. It reports for tcp but means in fact udp.
> Fixed in r596.
> 
> Again: How many bytes have the request and how many bytes the
> response?

it sais: "We send a DNS request of 17 bytes and received a response of 228 
bytes"

> The NVT should only report if the response len is > "request_len*2"

no! the NVT should only report if you can trigger the same response
100 times per second and detect RRL configuration correctly

get the answer below once or twice don't mean the server is
vulnerable and recursion from own machines but with ratelimiting
is also not vulnerable - own machine can also be a different
network given that you must have auth nameservers in two networks
_______________________________________________

[harry@srv-rhsoft:~]$ dig ANY thelounge.net @ns1.thelounge.net
; <<>> DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 <<>> ANY thelounge.net 
@ns1.thelounge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14647
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;thelounge.net.                 IN      ANY

;; ANSWER SECTION:
thelounge.net.          86400   IN      SPF     "v=spf1 ip4:91.118.73.0/24 
ip4:89.207.144.27 -all"
thelounge.net.          86400   IN      TXT     "v=spf1 ip4:91.118.73.0/24 
ip4:89.207.144.27 -all"
thelounge.net.          86400   IN      MX      10 barracuda.thelounge.net.
thelounge.net.          86400   IN      NS      ns2.thelounge.net.
thelounge.net.          86400   IN      NS      ns1.thelounge.net.
thelounge.net.          86400   IN      A       91.118.73.5
thelounge.net.          86400   IN      SOA     ns2.thelounge.net. 
hostmaster.thelounge.net. 2014071101 3600 1800
1814400 3600

;; Query time: 34 msec
;; SERVER: 85.124.176.242#53(85.124.176.242)
;; WHEN: Fr Aug 01 12:05:10 CEST 2014
;; MSG SIZE  rcvd: 289

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Reply via email to