JVN#61857DA9
DNS cache servers resource consumption by TCP SYN_SENT states
Overview
DNS cache servers consume huge resources for communication with DNS authoritative servers in the following situation.
(1) a user sends a query to the DNS cache server
(2) the DNS cache server sends a UDP query to an authoritative server
(3) when the authoritative server finds that the reply content is too large, it sends back the reply packet to the DNS cache server with the TC bit on
(4) the DNS cache server re-sends a query by TCP
(5) when the authoritative server does not reply to the TCP query, or 53/tcp destined packets are dropped, the DNS cache server holds the socket in the SYN_SENT state for a certain period of time
(6) a huge number of transactions in steps (1)-(5) take place in a short period of time
Products Affected
- DNS servers with the network configuration described as above
Description
Impact
The DNS cache server suffers TCP state table overflow when it makes the huge number of TCP queries to certain authoritative servers, where 53/tcp packets are dropped or the authoritative server does not reply to TCP queries.
Solution
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FUJITSU LIMITED | Not Vulnerable | 2005/10/04 | |
| Hitachi | Not Vulnerable | 2004/10/26 | |
| Microsoft Co.,Ltd. | Not Vulnerable, investigating | 2004/10/20 | |
| NEC Corporation | Not Vulnerable, investigating | 2004/10/20 | |
| Turbolinux, Inc. | Unknown | 2004/10/20 |
References
- NANOG PDF presentation
DNS Anomalies and Their Impacts on DNS Cache Servers - NANOG Abstract
DNS Anomalies and Their Impacts on DNS Cache Servers
JPCERT/CC Addendum
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |