[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 15/05/13 16:42, Martijn Grooten wrote: > > It's been a big problem for quite some time. Although I'd question if the open resolvers should be the main focus here. The more general issue is the spoofing, which has been reduced greatly, but is still something like 14% of the Internet can spoof other peoples addresses with some degree of success. If they can't spoof they can't do a DNS reflection attack, or any other reflected attack, including things like TCP SYN reflection. If you can make DNS queries with spoofed sources you can use authoritative servers in the attack instead of recursive resolvers. $dig +norec +notcp @ns1.msft.net microsoft.com any Gives an 820byte reply, it is not hard to imagine how to automate similar. The first .com name servers happily gave me 1700+ byte responses to obvious queries. Even a simple request for ". any" gives significant amplification with no customisation for the authoritative server from Microsoft's servers, and my belief is they are not atypical. Sure authoritative server based reflection is not as effective in general, and there are less of them, but still plenty of scope for 10 fold plus amplification and the authoritative servers tend to be well connected, so less likely to hit resource limits. It is potentially a slightly harder attack to organize, but the barrier doesn't shift that much, especially if your authoritative servers issues referrals to the root servers, or other large answers to very small queries. http://spoofer.cmand.org/ I did do some research into the responses various authoritative servers gave for various requests, but I don't think I published it anywhere. I remember asking the administrator from Bytemark how he'd configured the authoritative servers as they couldn't be coerced to reflect anything but their own succinct answers at the time. In general responses like referral to the root name servers were common and offered moderate amplification. Big amplification for "ANY" queries for the name servers zones are common, although some servers have recently just stopped answering "ANY" at all, however with DNSSEC arriving (and EDNS) that doesn't necessarily help as much as one might help. It may seem pedantic, but we've seen with email spam, that if you don't address the right issue, all you do is displace, or modify the abuse. So sure SMTP spam is terribly inefficient, so just use that botnet to do DDOS, or reflect DNS attacks, or show ads to end users, or steal credit card credentials from the end user. The problem was the botnets, the symptom was spam, we treated the symptom, although largely because it was in our remit to address, Microsoft eventually got around to addressing some of the real problem. Oh and Debian users - Debian BIND does the "right thing" out of the box for recursive resolvers. By all means check it, but good folk have been here before you to make the defaults work. Authoritative servers on the other hand using BIND out of the box.....hmm. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq