They don't need more servers, just better software. If you think open
recursion (DNS DoS amplification) is an issue ISPs can ignore, I suggest
you look at the history of open SMTP relays and networks
supporting/allowing directed broadcast.
I'll address the ignore part.
I don't think closing
Geo. wrote:
We have done just this (block inbound udp/53) to certain subnets due to a
rash of CPEs that happily proxy DNS, including recursive queries,
from their WAN side.
What devices? Is this a default or something customers are configuring?
Just about every Siemens/Efficient *DSL router
Geo. wrote:
Really? Ok educate me, how do you do this with Windows 2000
running MS dns?
(telling people to use another server is not acceptable)
If Microsoft's products are broken, why souldn't I tell people to use
something else?
You tell them whatever you like, they aren't going to
Geo, the default is bad. However, it is not a Microsoft issue, this is a
spoofing issue. Many like to bash Microsoft, some hate them. Myself I am
known as a Microsoft critic at times.
Please don't misunderstand me, I'm not bashing MS or even being a critic
(although I have been at times),
If your goal is to eliminate the recursive resolution reflection
amplification, then you must disable it for all but trusted subnets.
This also defends the server from the more trivial of cache poisoning
attacks (assuming your own systems use the resolver as well).
I know this is a more
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tim wrote:
All it takes is to throttle traffic from the resovers to outside
the ISP network to a reasonably low value. Depending on the ISP
this is usually in the low Kbits. All it takes is a moderate
amount of competence in the ISP:
I don't
We have done just this (block inbound udp/53) to certain subnets due to a
rash of CPEs that happily proxy DNS, including recursive queries,
from their WAN side.
What devices? Is this a default or something customers are configuring?
Ingress/Egress filtering did not help because the traffic
--On den 30 mars 2006 16.08.51 -0500 Geo. [EMAIL PROTECTED] wrote:
Don't you think creating a control point like that is dangerous?
Especially dangerous when it's DNS which runs virtually every function on
the internet?
The control point is there already, as has been demonstrated by several
Hello Anton,
This is feasible only for corporate networks where the allocations
are constant and change once in a few years.
It is not feasible in any ISP/Telco above a certain size. In fact,
considering the consolidation over the recent years it is not feasible
for most ISPs or
On Thu, 30 Mar 2006, Geo. wrote:
Don't you think creating a control point like that is dangerous?
Especially dangerous when it's DNS which runs virtually every function
on the internet?
Yeah, it could be indeed...
It's not directly related to the discussion topic, but i just wanted to
Geo. wrote:
What is stopping you from running your own local DNS server?
What is stopping you from running your own SMTP server? A port 25 block?
Well if an ISP doesn't want to play whack-a-mole with unsecured dns servers
popping up every day do you not think it likely that they will resort
gboyce wrote:
I haven't heard anyone talk about requiring that users use their ISP's
DNS server. Just that they should not be able to use any random DNS
server on the internet.
What is stopping you from running your own local DNS server? My
system at home runs named in a configuration
What is stopping you from running your own local DNS server?
What is stopping you from running your own SMTP server? A port 25 block?
Well if an ISP doesn't want to play whack-a-mole with unsecured dns servers
popping up every day do you not think it likely that they will resort to the
same
1. Resolvers and Authoritative nameservers must be separate and
authoritative nameservers must have recursion turned off. Otherwise
there is no way to throttle only recursive queries.
Great, for small ISP's you just doubled the number of machines they need to
dedicate to DNS.
2. In a smaller
[snip]
I haven't heard anyone talk about requiring that users use their ISP's
DNS server. Just that they should not be able to use any random DNS
server on the internet.
This is standard practice in Wireless and other ISPs which operate pay
as you go service (hotels, conferences,
Geo. wrote:
The flood is a flood of answers not queries, you spoof the source address of
a query with the address of your target, the target gets the response from
the dns server. A cache on the dns server just makes it a more efficient
response.
Queries are bad enough. This can be played with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stephen Samuel wrote:
| To put it another way: UDP as a purely connectionless
| protocol is fast becoming a liability in situations where
| significant amplification is possible.
My thoughts exactly. This attack is possible because of a design
servers and you have just created a really powerful control mechanism
for
entities to control large sections of the internet since folks from
those
sections won't be able to use anyone else's DNS servers or even run
their
own (much like port 25 blocking limits who can run a mail server
If you have a 20,000 bot botnet and each bot has 2 defined recursive dns
servers that it is allowed to use and these bots are on the local subnet
(ie
BCP38 is implimented at the gateway but not at every router) then how
exactly is locking down recursive servers so you can only use yours going
On Sun, 26 Mar 2006, Geo. wrote:
Spoofing is indeed the attack vector and it can also be utilized for
NTP, ICMP, etc. It is to blame.
Still, DNS is what's being exploited and in my opinion a broken feature
being exploited needs fixing, or it will be exploited.
What feature of DNS is being
Geo. wrote:
What feature of DNS is being exploited, UDP or the fact that there are a lot
of dns servers you can use?
I think that this is probably a better point than you think.
It's almost impossible to change the design of the DNS
protocol now but, going foreward, I think that we do
need
BCP38 is implimented at the gateway but not at every router) then how
exactly is locking down recursive servers so you can only use yours
going
to
solve anything?
uh... caching maybe?... the second field of your answer section when using
dig..
The flood is a flood of answers not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Thompson wrote:
Michael Sierchio [EMAIL PROTECTED] writes:
Robert Story wrote:
VG In the scenario you describe, I cannot see any actual amplification...
The amplification isn't in the number of hosts responding, but in
packet size.
A very
Spoofing is indeed the attack vector and it can also be utilized for
NTP, ICMP, etc. It is to blame.
Still, DNS is what's being exploited and in my opinion a broken feature
being exploited needs fixing, or it will be exploited.
What feature of DNS is being exploited, UDP or the fact that
We discussed recursive DNS servers before (servers which allow to query
anything - including what they are not authoritative for, through them).
...
One of the problems is obviously the spoofing. ...
Maybe I'm misunderstanding the problem here (but I don't think so). It
seems to be the issue
MaddHatter wrote:
We discussed recursive DNS servers before (servers which allow to query
anything - including what they are not authoritative for, through them).
...
One of the problems is obviously the spoofing. ...
Maybe I'm misunderstanding the problem here (but I don't think so). It
Robert Story wrote:
VG In the scenario you describe, I cannot see any actual amplification...
The amplification isn't in the number of hosts responding, but in packet size.
A very small DNS request packet results in a huge response packet.
Are you talking about rogue authoritative servers?
On Tue, 7 Mar 2006 19:26:19 +0200 Ventsislav wrote:
VG Are you sure about that amplification process??
Yes.
VG In the scenario you describe, I cannot see any actual amplification...
The amplification isn't in the number of hosts responding, but in packet size.
A very small DNS request packet
Are you sure about that amplification process??
Actually if the packet reaches huge sizes it will be fragmented at the
attacker's own place cuz of the network equipment's mtu... or won't be
transmitted at all...
The concept of the smurf attack is in sending large amount of spoofed
packets to the
Here are some dns servers I gathered/scanned during the time I researched
this months ago(that appear to still be up):
68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177
Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. x).
On Thu, 2 Mar 2006, Gadi
Looking at this further, it seems to be the same attack with the x60
amplification effect.
We will know more when we know more.
Gadi.
While you're on the subject of the potentials of DOSing using DNS servers, I
noticed several months ago some possible abuses myself, although I soon lost
interest for some reason or another.
I noticed that a portion of the worlds DNS servers for some reason or another
send back large amounts
Hi guys.
We discussed recursive DNS servers before (servers which allow to query
anything - including what they are not authoritative for, through them).
The attack currently in the wild is a lot bigger and more complicated
than this, but to begin, here is an explanation (by metaphor) of
33 matches
Mail list logo
