Re: [Dnsmasq-discuss] dnsmasq 2.86 seems to stop reading from one of its dns sockets after a period of time under load

Wed, 18 May 2022 01:34:53 -0700 

On 5/18/22 2:57 AM, Geert Stappers via Dnsmasq-discuss wrote:

On Fri, May 13, 2022 at 08:15:42PM -0400, wkitt...@gmail.com wrote:

On 5/13/22 3:48 PM, Simon Kelley wrote:

So queries are being received, and answered, but the reply is being
dropped by the kernel because the send queue is full of replies to dead
hosts? If the hosts are dead, where are the queries coming from to
generate these blocked replies?


reading the OP and the following responses, i almost wonder if there's some
sort of "reflection attack" going on...



Thanks for raising awareness of malicious factors.

After reading https://en.wikipedia.org/wiki/Reflection_attack I fail to
see why this particular kind attack could be in play.
Which authentication does dnsmasq with what?



there are several types of "reflection attack"... the one i was thinking of is 
the one where the originating address in UDP packets is spoofed so the reply is 
sent to another address than that of the attacker... it is better know as "DNS 
amplification" and is a type of DDOS as well as reflection attack...



"DNS amplification is a type of reflection attack which manipulates 
publically-accessible domain name systems, making them flood a target with large 
quantities of UDP packets."



consider the situation where DNS amplification is used and the source addresses 
are spoofed to be those of dead systems... you'll get the same effect of the 
replies being dropped in the kernel... if sufficient quantity of these packets 
are received, you have a DOS on the DNS server... band a bunch of attacking 
systems together and you have a DDOS on the DNS server...



i apologize for not using the proper term for what i was thinking of in my first 
post... i blame a lack of c0ffee and a having just woken ;)



--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss






















					Reply via email to