Re: Dynamic DNS

From: Stefan Laudat (stefanat_private)
Date: Tue Aug 31 1999 - 01:35:59 PDT

Next message: Paul Leach (Exchange): "Re: IE and cached passwords"

Previous message: Przemyslaw Frasunek: "Babcia Padlina Ltd. security advisory: mars_nwe buffer overf"
Maybe in reply to: Jethro Tull: "Dynamic DNS"
Next in thread: Brad Knowles: "Re: Dynamic DNS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>    8.2. A denial of service attack can be launched by flooding an update
>    forwarder with TCP sessions containing updates that the primary
>    master server will ultimately refuse due to permission problems.
>    This arises due to the requirement that an update forwarder receiving
>    a request via TCP use a synchronous TCP session for its forwarding
>    operation.  The connection management mechanisms of [RFC1035 4.2.2]
>    are sufficient to prevent large scale damage from such an attack, but
>    not to prevent some queries from going unanswered during the attack.

Newest versions of BIND8 die when secondary DNS authorities (or any other hosts) shamelessly
ask for zone transfers/updates in a mass amount,although there are some strongly-defined
acl's. The result is a BIG DoS, rising the load average to Himalaya and blowing up the dns server.
Bug reported already,with a short and concise (should I say amateurish?) bounce answer: "Hell, you can DoS
a lot of services that way!". Just imagine DNS1.microsoft.com under heavy assault.What if the next day
someone finds a good apache DoS and gets rejected ?
Oh,I remembered. Spoofed IP packets are the favourites of the day, you need only to attack not to
listen to the last whispers of a dying server. You just don't want to be logged,
do you ? :>

> All Dynamic DNS services that I know of are vulnerable .
> I am not going to include code, but it is a trivial task to spoof a packet
> (UDP or TCP) with RR data in the
> format this RFC specifies.  In other words, anyone can manipulate RR
> records by sending bogus data
> because the only authentication is IP.

Good old juggernaut should be enough for that >=-). For kiddies it's reccomended to read RFC's
and assemble packets on their own, there are a lot of packet-assembling tools on the Net.


--

Stefan Laudat
Data Networks Analyst
ASIT SA
----------------------------------------------------------------
Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777
----------------------------------------------------------------

!07/11 PDP a ni deppart m'I  !pleH

Next message: Paul Leach (Exchange): "Re: IE and cached passwords"
Previous message: Przemyslaw Frasunek: "Babcia Padlina Ltd. security advisory: mars_nwe buffer overf"
Maybe in reply to: Jethro Tull: "Dynamic DNS"
Next in thread: Brad Knowles: "Re: Dynamic DNS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:50 PDT