On Wed, 8 Mar 2006 15:55:21 -0700 Mark wrote: MS> Correct me if I'm wrong, but I was under the impression that DNS MS> responses that go over the max size of a UDP datagram won't get split MS> into multiple UDP datagrams. Rather, a response with only partial MS> data will be sent back, and the client has to reconnect over TCP to MS> get the full data. MS> MS> RFC 2671 even suggests that UDP DNS messages can't go over 512 bytes MS> (although it may be old news now that that has been increased). Exactly. The attackers do use EDNS0 [RFC2671], which allows clients to declare the maximum size of UDP message they are willing to handle. So the spoofed packet sets this value to whatever they want. MS> So, you can send a bunch of source-spoofed requests that are under 100 MS> bytes, and get a bunch of 512 bytes responses. In the most recent round of attacks, the attackers were using 4k TXT records, so a 100 byte request is hugely amplified...
