> 8.2. A denial of service attack can be launched by flooding an update > forwarder with TCP sessions containing updates that the primary > master server will ultimately refuse due to permission problems. > This arises due to the requirement that an update forwarder receiving > a request via TCP use a synchronous TCP session for its forwarding > operation. The connection management mechanisms of [RFC1035 4.2.2] > are sufficient to prevent large scale damage from such an attack, but > not to prevent some queries from going unanswered during the attack. Newest versions of BIND8 die when secondary DNS authorities (or any other hosts) shamelessly ask for zone transfers/updates in a mass amount,although there are some strongly-defined acl's. The result is a BIG DoS, rising the load average to Himalaya and blowing up the dns server. Bug reported already,with a short and concise (should I say amateurish?) bounce answer: "Hell, you can DoS a lot of services that way!". Just imagine DNS1.microsoft.com under heavy assault.What if the next day someone finds a good apache DoS and gets rejected ? Oh,I remembered. Spoofed IP packets are the favourites of the day, you need only to attack not to listen to the last whispers of a dying server. You just don't want to be logged, do you ? :> > All Dynamic DNS services that I know of are vulnerable . > I am not going to include code, but it is a trivial task to spoof a packet > (UDP or TCP) with RR data in the > format this RFC specifies. In other words, anyone can manipulate RR > records by sending bogus data > because the only authentication is IP. Good old juggernaut should be enough for that >=-). For kiddies it's reccomended to read RFC's and assemble packets on their own, there are a lot of packet-assembling tools on the Net. -- Stefan Laudat Data Networks Analyst ASIT SA ---------------------------------------------------------------- Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777 ---------------------------------------------------------------- !07/11 PDP a ni deppart m'I !pleH
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:50 PDT