[unisog] [REN-ISAC] Alert: DNS Smurfing

Doug Pearson dodpears at indiana.edu
Tue Dec 14 15:27:05 GMT 2004


Ryan,

Likely not. The DNS reflector attack involves well-formed valid DNS requests (although from spoofed sources!) sent to the server. Are you seeing an increase in TCP SYN aimed at the server, i.e. just SYNs with no purpose? At what rate? 

-dp


At 09:48 AM 12/13/2004 -0500, Ryan Dorman wrote:
>I have recently seen an increase in data on syn packets heading towards DNS
>server.  Is this related to this smurf attack?
>
>Ryan Dorman, CCNA
>Network Communications Specialist
>Millersville University
>717.871.5883
>Ryan.Dorman at millersville.edu
>
>PGP Public Key: http://cns.millersville.edu/rdorman_key.txt
><http://cns.millersville.edu/rdorman_key.txt> 
>
>
>
>  _____  
>
>From: Florian Weimer <fw at deneb.enyo.de>
>Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org>
>Date: Sat, 11 Dec 2004 13:59:01 -0500
>To: <unisog at lists.sans.org>
>Subject: Re: [unisog] [REN-ISAC] Alert: DNS Smurfing
>
>* Doug Pearson: 
>
>> Over the past couple of days several DNS Smurf attacks have been 
>> underway affecting research and education (R&E) and commercial 
>> networks. A typical DNS Smurf attack[1] works as follows: Many DNS 
>> queries of type = "any" are sent to multiple DNS servers. The 
>> queries contain the source-spoofed address of the target. 
>
>Do these attacks already exploit the superior amplification facilities 
>EDNS0 provides? 
>_______________________________________________ 
>unisog mailing list 
>unisog at lists.sans.org 
>http://www.dshield.org/mailman/listinfo/unisog
><http://www.dshield.org/mailman/listinfo/unisog>  
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list