Home page logo

nanog logo nanog mailing list archives

Re: Tightened DNS security question re: DNS amplification attacks.
From: Chris Adams <cmadams () hiwaay net>
Date: Tue, 27 Jan 2009 22:19:40 -0600

Once upon a time, David Andersen <dga () cs cmu edu> said:
Actually, ". IN NS" is a particularly useful thing for them to do,  
because it's an almost globally guaranteed response that will get a  
large response and be in cache.

That's only true on servers that aren't well-configured.

"<tld>. IN NS", of course, but the set of things that work well for  
such an attack are relatively limited.

Try "aol.com. MX", "hotmail.com. MX", any domain with a big SPF TXT
record, etc.  There's nothing really special about ". NS".  If somebody
is serving cached data to the world (even if they aren't recursing for
the world), there are any number of things that are likely in the cache.

And, since most people have SMTP servers, it is often easy to "prime"
somebody's cache, since the SMTP servers often use the same DNS servers.

Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]