Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The DNS server answers all queries, providing additional delegation
- information to arbitrary IP addresses. It is possible to send a query
- for the root zone (.) to the DNS server, and get an answer that is
- much larger than the query (often more than 20 times in size). An
- attacker could spoof the source IP address of the query, causing the
- DNS server to respond to the source IP with the larger answer. An
- attacker could focus these answers on a single target, resulting in
- a Denial of Service for that IP. Additionally, the amplification attack
- represents a risk to the DNS server in the form of Denial of Service.
- The server would have reduced ability to respond to legitimate DNS
- queries due to consumed system resources and and higher network
- traffic levels. Verification of this must be done from an host that is
- not on the network/intranet of the DNS server. Command to verify
- from a UNIX based system: 'dig -t NS . @IP.OF.DNS.SERVER' or
- 'host -v -t NS . IP.OF.DNS.SERVER'. On Windows, run 'nslookup -
- type=NS . IP.OF.DNS.SERVER'. If the response received includes
- answer and additional sections that lists a number of hosts (often on
- 'root-servers.net'), then the system is vulnerable. The SANS Internet
- Storm Center has also provided an online tool to verify this issue (see
- the link to sans.org in the references).
- Note: Vulnerabilities which result only in denial of service do not affect
- PCI compliance; however, they may still be critical to your systems.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement