Hi folks
We have experienced this issue a lot with the WNDR4500 model in the last months. This is definitely a bug, which can be fixed with a newer FW release. Whenever we see constant traffic of approx. 10 Mbps and high CPU on our name servers, it's a WNDR4500.
I'm not completely sure, but it seems like the DNS query flooding is triggered by a temporary link down on the router's WAN port.
No advices for hacking from my side. Just hunt down the customer who's causing your problem :)
Cheers, Reto
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog- bounces@lists.swinog.ch] On Behalf Of Beat Bodenmann Sent: Friday, May 24, 2013 2:59 PM To: swinog@swinog.ch Subject: Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Hey all
We had the same problem, at last a few weeks ago. We reported it to Netgear in Dec 12 for the first Time -> no result We tried to overwrite these records with another -> just for testing. The routers were still asking k-times a second.
I think it's not a DNS-problem, cause it doesn't matter what's the answer on a request is, the router is still asking. Only a reboot of device stops the 'attack'.
Best Regards
Beat
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog- bounces@lists.swinog.ch] Im Auftrag von Roman Hochuli Gesendet: Freitag, 24. Mai 2013 14:33 An: swinog@swinog.ch Betreff: Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Hey All
If it is really hurting you big time you may choose to run a very mean hack: temporarily setup a netgear.com-Zone on your dns-servers and point these records to a useful NTP server. Adding an A-record for their website would probably a good idea as well. ;)
Yes, it is an EXTREMELY UGLY HACK. But as stated above: it might be easier to cut yourself a hand off than loosing the whole arm...
but what's the hex string for this kind of query. anybody got it?
Had there somebody fun with Stefans presentation of yesterday...? ;)
-- Best regards, Roman Hochuli Operations Manager
nexellent ag Saegereistrasse 33 CH-8152 Glattbrugg
Phone: +41 44 872 20 00 Fax: +41 44 872 20 01 URL: www.nexellent.ch X-NCC-RegID: ch.nexellent
Imagination is the one weapon in the war against reality. -- Jules de Gaultier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog