[11635] in bugtraq
Re: Dynamic DNS
daemon@ATHENA.MIT.EDU (Stefan Laudat)
Wed Sep 1 17:30:09 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990831113559.A8172@asit.ro>
Date: Tue, 31 Aug 1999 11:35:59 +0300
Reply-To: Stefan Laudat <stefan@NS.ASIT.RO>
From: Stefan Laudat <stefan@NS.ASIT.RO>
X-To: Jethro Tull <jethro@DQC.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSO.4.10.9908281959080.24118-100000@dqc.org>; from Jethro
Tull on Sat, Aug 28, 1999 at 08:08:36PM -0700
> 8.2. A denial of service attack can be launched by flooding an update
> forwarder with TCP sessions containing updates that the primary
> master server will ultimately refuse due to permission problems.
> This arises due to the requirement that an update forwarder receiving
> a request via TCP use a synchronous TCP session for its forwarding
> operation. The connection management mechanisms of [RFC1035 4.2.2]
> are sufficient to prevent large scale damage from such an attack, but
> not to prevent some queries from going unanswered during the attack.
Newest versions of BIND8 die when secondary DNS authorities (or any other hosts) shamelessly
ask for zone transfers/updates in a mass amount,although there are some strongly-defined
acl's. The result is a BIG DoS, rising the load average to Himalaya and blowing up the dns server.
Bug reported already,with a short and concise (should I say amateurish?) bounce answer: "Hell, you can DoS
a lot of services that way!". Just imagine DNS1.microsoft.com under heavy assault.What if the next day
someone finds a good apache DoS and gets rejected ?
Oh,I remembered. Spoofed IP packets are the favourites of the day, you need only to attack not to
listen to the last whispers of a dying server. You just don't want to be logged,
do you ? :>
> All Dynamic DNS services that I know of are vulnerable .
> I am not going to include code, but it is a trivial task to spoof a packet
> (UDP or TCP) with RR data in the
> format this RFC specifies. In other words, anyone can manipulate RR
> records by sending bogus data
> because the only authentication is IP.
Good old juggernaut should be enough for that >=-). For kiddies it's reccomended to read RFC's
and assemble packets on their own, there are a lot of packet-assembling tools on the Net.
--
Stefan Laudat
Data Networks Analyst
ASIT SA
----------------------------------------------------------------
Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777
----------------------------------------------------------------
!07/11 PDP a ni deppart m'I !pleH
