[ratelimits] error in amplification attack

Joe Abley jabley at hopcount.ca
Wed Nov 14 01:15:50 UTC 2012


On 2012-11-13, at 19:58, Andrew Sullivan <ajs at crankycanuck.ca> wrote:

> On Tue, Nov 13, 2012 at 10:49:27PM +0000, Vernon Schryver wrote:
> 
>> A DNSSEC referral from the gTLD roots gives about amplification of
>> about 14X.
> 
> What is a DNSSEC referral?  I don't think such referrals are signed,
> are they?

The DS RRSet is signed. If there's no DS RRSet, there's no secure referral.

; <<>> DiG 9.8.3-P1 <<>> @a.gtld-servers.net verisigninc.com soa +dnssec +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47317
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;verisigninc.com.		IN	SOA

;; AUTHORITY SECTION:
verisigninc.com.	172800	IN	NS	l4.nstld.com.
verisigninc.com.	172800	IN	NS	a4.nstld.com.
verisigninc.com.	172800	IN	NS	f4.nstld.com.
verisigninc.com.	172800	IN	NS	g4.nstld.com.
verisigninc.com.	172800	IN	NS	k4.nstld.com.
verisigninc.com.	172800	IN	NS	j4.nstld.com.
verisigninc.com.	172800	IN	NS	h4.nstld.com.
verisigninc.com.	172800	IN	NS	a1.verisigndns.com.
verisigninc.com.	86400	IN	DS	64326 8 2 02E7FEF4C3BBB0A0FA52F0F8E5774C44B243739D1AB7B3B426A417C3 88F45ACF
verisigninc.com.	86400	IN	RRSIG	DS 8 2 86400 20121120051944 20121113040944 34367 com. q0vl+C8ia6cCo1Mm6eAWD19FRyyH9WtbcXyTKuwTCyRCCa/WtRa9PZD5 9+qT98DdiDEapUKvzJ2fvSQyl08wVPFT9KKP8xSGPEmclD81MC9a1qWi unQUGuARBVttnbW8+K+ijpNdOLSKdoY6U+Cwfr+soyUbQERQj4WK7pAH qTs=

;; ADDITIONAL SECTION:
l4.nstld.com.		172800	IN	A	192.41.162.33
a4.nstld.com.		172800	IN	A	69.36.158.33
f4.nstld.com.		172800	IN	A	192.35.51.33
g4.nstld.com.		172800	IN	A	192.42.93.33
k4.nstld.com.		172800	IN	A	192.52.178.33
j4.nstld.com.		172800	IN	A	192.48.79.33
h4.nstld.com.		172800	IN	A	192.54.112.33
a1.verisigndns.com.	172800	IN	AAAA	2001:500:7967::2:33
a1.verisigndns.com.	172800	IN	A	209.112.113.33

;; Query time: 42 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Tue Nov 13 20:14:07 2012
;; MSG SIZE  rcvd: 565


20:14:07.954534 IP6 2001:4900:1042:100:ec75:a84f:cdab:5e06.57651 > 2001:503:a83e::2:30.53: 47317 [1au] SOA? verisigninc.com. (44)
20:14:07.994629 IP6 2001:503:a83e::2:30.53 > 2001:4900:1042:100:ec75:a84f:cdab:5e06.57651: 47317- 0/10/10 (565)

565/14 = 13 or so.


Joe


More information about the ratelimits mailing list