On Wed, Aug 04, 2004 at 11:49:50AM -0700, John Hall wrote:
> It's possible the packets that solicited the traffic were spoofed, but
> it's generally more likely that someone on your network browsed the site
> in the last day or two and you just haven't yet been aged out of the list
> of sites the 3-DNS is keeping track of.
I do not know anyhting about 3-DNS apart from what I read in this thread, so
please excuse me if I get anything wrong or seem to be not understanding:
1. Why do you need to measure metrics for my DNS days after I might have
visited a site?
2. How does this kind of setup scale (imagine everyone did that)?
> >But wouldn't that make 3DNS an amplifier in a DoS attack? I guess it
> >depends on how it is configured. Seems so that, when configured wrong
> >with an overly aggressive configuration, it will respond with a multiple
> >of probes packets to a single spoofed reply.
> Definitely not! When your DNS server sends a query to 3-DNS, it's added
> to a list of sites to keep metrics for. The probes used to create those
> metrics are rate limited to one overall attempt to gather data per hour
> regardless of how many times you query the server. A single data gathering
And if I, for example, spoof DNS requests from each IP-Adress in the /8 of
the organization I dislike?
Or I spoof DNS requests from every IP-Address in 0.0.0.0/0?
Will you then be sending out probe packets for a few days to all these
IP-Adresses? That sounds like a DOS Amplifier to me.
> attempt will try each of its configured probe methods in turn to try and
> get a response, so you should never see more than 6 - 20 packets per hour,
> per group of 3-DNS's.
So worst case:
20 packets per hour times 2^32 possible IP Addresses makes you send out
85899345920 an hour. Not bad. And that is for each of your customers, right?
> I don't think that could be a problem with 3-DNS. Your time would
> probably better be spent trying to ensure that no reconnassance attempts
> return data that would be useful to an attacker. I suspect that even
> if every group of 3-DNS's in the world suddenly added you to their probe
> lists, you wouldn't see a significant amount of traffic. You'd probably
> notice it, but it wouldn't compare with the total amount of other
> unsolicited traffic you receive.
If I happen to have a /8 I might receive 5592405 Probe packets a second per
3-DNS group. I would call that significant.
Nils
--
Hast du das auch etwas deutlicher, oder bist du das Orakel von Jena?
[Joerg Moeller zu Lutz Donnerhacke in de.admin.net-abuse.news]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
