This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Name servers problems
- Previous message (by thread): [dns-wg] Name servers problems
- Next message (by thread): [dns-wg] Name servers problems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jørgen Hovland
jorgen at hovland.cx
Mon Feb 27 11:39:32 CET 2006
----- Original Message ----- From: "Jaap Akkerhuis" <jaap at NLnetLabs.nl> > For those not on NANOG, on that list is quite some discussion going > on about using (recursive) name servers for amplicication attacks. > The discussion starts at > http://www.merit.edu/mail.archives/nanog/threads.html#16000.o > > There is a special mailing list devoted on this problem by the isc: > http://lists.oarci.net/mailman/listinfo/dns-operations, and this > list is open to anyone. > > There is an US cert warning about this: > http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf. > > The upshot is: Close your open recursive nameservers. > > Other info: http://dns.measurement-factory.com/surveys/sum1.html > and a plug for a secure template by the cymru guys: > http://www.cymru.com/Documents/secure-bind-template.html > > Maybe all this is worth a slot at the coming dns-wg (or eof) meeting? > > jaap > > Acknowledgement: Information compiled from messages from Harvey > Allen, Lucy Lynch, Rob Thomas and others. > > It might be worth mentioning that DNS is not the only service being abused for this kind of attack. Strictly speaking, any service replying to spoofed packets with more data than what they received are affected. That includes the tcp protocol and also authorative namservers (tip: dig -t a b.n @a.nic.fr) that respond to queries. But recursive nameservers are obviously an easier target.. for now. j (which finds it interesting that people are discussing this issue now and not in around year 2000 which was, at least for me, the first time I noticed this problem.)
- Previous message (by thread): [dns-wg] Name servers problems
- Next message (by thread): [dns-wg] Name servers problems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]