On Sun, 26 Mar 2006, Geo. wrote:
Spoofing is indeed the attack vector and it can also be utilized for
NTP, ICMP, etc. It is to blame.
Still, DNS is what's being exploited and in my opinion a broken feature
being exploited needs fixing, or it will be exploited.
What feature of DNS is being exploited, UDP or the fact that there are a lot
of dns servers you can use?
If you have a 20,000 bot botnet and each bot has 2 defined recursive dns
servers that it is allowed to use and these bots are on the local subnet (ie
BCP38 is implimented at the gateway but not at every router) then how
exactly is locking down recursive servers so you can only use yours going to
solve anything?
Right now you don't need the 20,000 bot botnet. You can find plenty of
recursive nameservers to send large responses to your victim. Even if we
moved to a state where a 20,000 bot botnet could take you down, that's
still better than anyone on a cable modem can take you down.
However, properly fixed the 20,000 bot botnet isn't able to perform this
sort of attack unless all 20,000 bots are on your ISPs network.
Each bot has 2 nameservers. Properly configured, those nameservers should
only send responses to the customers of the ISP in question (this would
require dns server changes, not firewall rules blocking the requests).
If the victim of the attack is not on the list of allowed clients, then
the bot would send the request to its own nameservers, and the nameservers
would refuse to respond since the victim is not an allowed IP.
Greg