What are these entries in the log file - " query: . IN NS +"?
Matthew Pounsett
matt at conundrum.com
Tue Jan 27 06:41:01 UTC 2009
On 26-Jan-2009, at 23:03, Tony Toews [MVP] wrote:
> Ah, I think I see what is happening here. Searching at the below
> article for
> 63.217.28.226
> http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply
> stating:
>
> "The problem seems to kick in for DNS servers that arent rejecting
> the queries.
> Someone is channeling ye 'ole smurfing methods.
>
> They're requesting a list of all DNS root servers. If the server
> don't reject the
> query, a 17 byte query becomes a 50k response (or something like
> that) to the spoofed
> address."
that's right. By configuring the DNS server to respond with REJECT to
queries for which it isn't authoritative, you make it respond with a
packet that's exactly the same size as the original query -- negating
the amplification side of the attack. Once the attacker realizes
nobody is amplifying, it makes the method unattractive, since it's
more costly than other types (such as a simple ping flood).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090127/6cc31fc7/attachment.bin>
More information about the bind-users
mailing list