[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 15/05/13 20:47, Simon Waters wrote: > On 15/05/13 16:42, Martijn Grooten wrote: >> It's been a big problem for quite some time. > Although I'd question if the open resolvers should be the main focus here. > > The more general issue is the spoofing, which has been reduced greatly, > but is still something like 14% of the Internet can spoof other peoples > addresses with some degree of success. > > If they can't spoof they can't do a DNS reflection attack, or any other > reflected attack, including things like TCP SYN reflection. > > If you can make DNS queries with spoofed sources you can use > authoritative servers in the attack instead of recursive resolvers. > > $dig +norec +notcp @ns1.msft.net microsoft.com any > > Gives an 820byte reply, it is not hard to imagine how to automate similar. > > The first .com name servers happily gave me 1700+ byte responses to > obvious queries. > > Even a simple request for ". any" gives significant amplification with > no customisation for the authoritative server from Microsoft's servers, > and my belief is they are not atypical. > > Sure authoritative server based reflection is not as effective in > general, and there are less of them, but still plenty of scope for 10 > fold plus amplification and the authoritative servers tend to be well > connected, so less likely to hit resource limits. > > It is potentially a slightly harder attack to organize, but the barrier > doesn't shift that much, especially if your authoritative servers issues > referrals to the root servers, or other large answers to very small queries. > > http://spoofer.cmand.org/ > > I did do some research into the responses various authoritative servers > gave for various requests, but I don't think I published it anywhere. I > remember asking the administrator from Bytemark how he'd configured the > authoritative servers as they couldn't be coerced to reflect anything > but their own succinct answers at the time. > > In general responses like referral to the root name servers were common > and offered moderate amplification. Big amplification for "ANY" queries > for the name servers zones are common, although some servers have > recently just stopped answering "ANY" at all, however with DNSSEC > arriving (and EDNS) that doesn't necessarily help as much as one might help. > > It may seem pedantic, but we've seen with email spam, that if you don't > address the right issue, all you do is displace, or modify the abuse. So > sure SMTP spam is terribly inefficient, so just use that botnet to do > DDOS, or reflect DNS attacks, or show ads to end users, or steal credit > card credentials from the end user. The problem was the botnets, the > symptom was spam, we treated the symptom, although largely because it > was in our remit to address, Microsoft eventually got around to > addressing some of the real problem. > > Oh and Debian users - Debian BIND does the "right thing" out of the box > for recursive resolvers. By all means check it, but good folk have been > here before you to make the defaults work. Authoritative servers on the > other hand using BIND out of the box.....hmm. > scapy.py is my favourite tool for packet spoofing fun, umm, I mean, security research. http://www.secdev.org/projects/scapy/ Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq