[41420] in bugtraq
Re: DNS query spam
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed Nov 30 05:33:23 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: "Piotr Kamisiski" <rotunda@ktd.krakow.pl>
Cc: bugtraq@securityfocus.com
Date: Tue, 29 Nov 2005 17:42:50 +0100
In-Reply-To: <Pine.LNX.4.63.0511272319350.14403@raq.ktd.krakow.pl> (Piotr
Kamisiski's message of "Sun, 27 Nov 2005 23:30:21 +0100 (CET)")
Message-ID: <87psojmmlx.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
* Piotr Kamisiski:
> 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53: 38545+ [1au] ANY ANY? e.mpisi.com. (40)
204.92.73.10 is one of the IP addresses for irc.efnet.ca. Someone is
spoofing the source addresses, in the hope that DNS servers will
return a large record set.
Could you check if the packets contain OPT records (e.g. using
"tcpdump -s 0 -v")? This protocol extension is described in the RFC
for ENDS0 (RFC 2671). EDNS0-capable DNS resolvers can send fragmented
UDP packets, exceeding the traditional 512 byte limit of DNS UDP
replies. The BIND 9 default maximum response size is 4096, for
example.
If the spoofed requests contain OPT records , you typically get an
amplification factor of about 60 in terms of bandwidth, and 5 in terms
of packet rate, but actual numbers may vary.
Yet another reason to restrict access to your recursive resolvers to
customers only.
