[41416] in bugtraq
Re: DNS query spam
daemon@ATHENA.MIT.EDU (Piotr Kamisiski)
Wed Nov 30 01:10:44 2005
From: "Piotr Kamisiski" <rotunda@ktd.krakow.pl>
Date: Tue, 29 Nov 2005 17:57:41 +0100 (CET)
To: Florian Weimer <fw@deneb.enyo.de>
Cc: bugtraq@securityfocus.com
In-Reply-To: <87psojmmlx.fsf@mid.deneb.enyo.de>
Message-ID: <Pine.LNX.4.63.0511291750110.17489@raq.ktd.krakow.pl>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="827350393-1324645494-1133283461=:17489"
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--827350393-1324645494-1133283461=:17489
Content-Type: TEXT/PLAIN; charset=iso-8859-2; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Hello
Thanks for your response.
The requests don't contain OPT records, but the data I've analysed doesn't=
=20
cover the most intense attacks. Today has been particularly quiet. I'll=20
wait to accumulate more data.
On Tue, 29 Nov 2005, Florian Weimer wrote:
> * Piotr Kamisiski:
>
>> 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53: 38545+ [1au] AN=
Y ANY? e.mpisi.com. (40)
>
>
> 204.92.73.10 is one of the IP addresses for irc.efnet.ca. Someone is
> spoofing the source addresses, in the hope that DNS servers will
> return a large record set.
>
> Could you check if the packets contain OPT records (e.g. using
> "tcpdump -s 0 -v")? This protocol extension is described in the RFC
> for ENDS0 (RFC 2671). EDNS0-capable DNS resolvers can send fragmented
> UDP packets, exceeding the traditional 512 byte limit of DNS UDP
> replies. The BIND 9 default maximum response size is 4096, for
> example.
>
> If the spoofed requests contain OPT records , you typically get an
> amplification factor of about 60 in terms of bandwidth, and 5 in terms
> of packet rate, but actual numbers may vary.
>
> Yet another reason to restrict access to your recursive resolvers to
> customers only.
>
Best regards,
Piotr Kamisi=F1ski
--827350393-1324645494-1133283461=:17489--
