[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: recursive DNS servers DDoS as a growing DDoS problem
- To: Gadi Evron <ge@xxxxxxxxxxxx>
- Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
- From: v9 <v9@xxxxxxxxxxx>
- Date: Wed, 1 Mar 2006 19:34:09 -0500 (EST)
Here are some dns servers I gathered/scanned during the time I researched
this months ago(that appear to still be up):
Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. "x").
On Thu, 2 Mar 2006, Gadi Evron wrote:
> v9@xxxxxxxxxxx wrote:
> > While you're on the subject of the potentials of DOSing using DNS servers,
> > I noticed several months ago some possible abuses myself, although I soon
> > lost interest for some reason or another.
> >
> > I noticed that a portion of the worlds DNS servers for some reason or
> > another send back large amounts of duplicate replies if, and only if, the
> > domain being resolved does not exist.
> >
> > The amount of duplicates seems to range between 2 and 24(in steps of 2, 4,
> > 8, 12, 16, 20 and 24), where each reply packet is roughly 2.5x(including IP
> > header) larger than the original request(because of the SOA). So, for
> > example one request to a DNS server that sends 24 dups back would roughly
> > equal 60x(24*2.5) amplification of data.
> This is very interesting. I don't have any idea why that is happeniong
> (yet). Can you share packet captures?