Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: New DDoS attack vector
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Fri, 20 May 2011 02:24:07 +0000

On May 19, 2011, at 9:44 PM, minor float wrote:

Dear list readers, on today we officially published our observations regarding the new attack vector of the DDoS 
against the DNS servers.


Filtering out the bogus DNS queries generated by the MX-record lookups is pretty trivial with modern intelligent DDoS 
mitigation systems (IDMS).

The assertion that 'previous Denial of Service attacks against the DNS servers received either malformed, fragmented, 
ICMP messages or TCP SYN, with invalid length, or oversized and some of these can be filtered by the firewalls or 
security appliances' is demonstrably false.  DNS servers have been targeted by bogus queries intended to exhaust the 
DNS server resources directly, or via spoofed queries which are intended to generate reflection/amplification attacks, 
but which also have a deleterious effect on the performance of the abused open recursors, for many years.

The posited scenario is unnecessarily complex.  It's a heck of a lot easier to simply bombard targeted authoritative 
DNS servers with spoofed bogus queries from botnets and/or hit them with reflection/amplification attacks, rather than 
go through this elaborate steps of registering a domain, pointing the NS/MX records at the target, then generating lots 
of spam.

The proximate attack method described - layer-7 DDoS via excessive queries - isn't new or unique, and the 
NS-record-related steps are unnecessary.  There's simply no need to go to this amount of trouble to launch a DDoS 
attack against authoritative DNS servers, nor is such an attack as difficult to defend against as is claimed in the 
write-up, meaning that this attack methodology has no unique advantages to justify the extra steps regarding 
re-targeting NS/MX records and spam generation.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]