[nsp-sec] DNS amplification attack to 213.171.220.101
Florian Weimer
fweimer at bfk.de
Mon Feb 16 06:32:42 EST 2009
* Gerard White:
> Yup. For practically every DNS speaking device I can find here,
> there's a continuous type 16 (Text Strings) Query for
> "johnmadness.com"... Query ID's are unique and random. oddly
> enough there's an additional record present in the queries - a Type
> 41 (Option) (Class 65535).
The OPT pseudo-RR enables clients to request larger UDP packets than
the default 512 bytes. This way, you can achieve an amplification
factor between 70 and 80 in a reflective attack.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list