This Mail  arrived just over the Full-Disclosure mailinglist
, but should probably also be of interest to some people here.
-------- Original Message --------
Subject: [Full-disclosure] DNS Smurf revisited
Date: Fri, 27 May 2005 10:28:37 -0400
From: Ian Gulliver <ian-fulldisclosure(a)penguinhosting.net>
DNS smurf is old news:
However, as ISPs continue to operate networks that let spoofed
packets out this issue deserves a little publicity again.
10:17:07.641061 IP (tos 0x0, ttl 64, id 46429, offset 0, flags
[DF], length: 49) XXXXXXXXXXXXX.44295 >
c.gtld-servers.net.domain: [udp sum ok] 18297 ANY? org. (21)
10:17:07.673800 IP (tos 0x0, ttl 43, id 0, offset 0, flags [DF],
length: 468) c.gtld-servers.net.domain > XXXXXXXXXXXXX.44295:
18297- 0/13/13 (440)
% echo "2 k 468 49 / p" | dc
That's a 9.5X amplification of outgoing traffic; you can probably
break 10X with a little more work on the query and nameserver
ISPs: Drop outgoing packets that don't originate from within your
network. You should already be doing this, as it stops a variety
of other attacks.
NS operators: Ratelimit?
Attached is a modernized proof of concept.
"Failure is not an option; it comes bundled with your Microsoft
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/