[nsp-sec] DNS amplification attack to 213.171.220.101
White, Gerard
Gerard.White at aliant.ca
Mon Feb 16 06:42:58 EST 2009
I did not realize that! Thanks for the insight, Florian!
GW
855 - Bell Aliant
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Florian Weimer
Sent: Monday, February 16, 2009 8:03 AM
To: White, Gerard
Cc: NSP nsp-security
Subject: Re: [nsp-sec] DNS amplification attack to 213.171.220.101
----------- nsp-security Confidential --------
* Gerard White:
> Yup. For practically every DNS speaking device I can find here,
> there's a continuous type 16 (Text Strings) Query for
> "johnmadness.com"... Query ID's are unique and random. oddly
> enough there's an additional record present in the queries - a Type
> 41 (Option) (Class 65535).
The OPT pseudo-RR enables clients to request larger UDP packets than
the default 512 bytes. This way, you can achieve an amplification
factor between 70 and 80 in a reflective attack.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list