[dns-operations] DNS deluge for x.p.ctrc.cc

Roland Dobbins rdobbins at cisco.com
Sun Feb 26 23:41:51 UTC 2006


I wasn't talking about just smurf-like with that type of  
amplification effect, nor just tricks like asking for 4K TXT records,  
etc.; rather, some interesting logical relationships that Dan and  
Mike have uncovered between some open recursive nameservers and  
heretofore unknown resolvers of one flavor or another.

Once Dan's ShmooCon preso is made available, this will become more  
clear.


On Feb 26, 2006, at 3:20 PM, Gadi Evron wrote:

> Roland Dobbins wrote:
>> I'm waiting for the latest iteration of Dan's talk he gave at   
>> ShmooCon this past January to be posted online, he gives lots of   
>> numbers and examples, including odd 'hidden' relationships  
>> between  DNS servers, amplification effects of 1000:1, etc.
>
> It should be noted that these attacks are not *just* smurf-like  
> with an amplification effect. Rather, the attack can be compared on  
> a lower level to a simple ICMP DDoS attack from spoofed addresses  
> where an echo is returned to the address which was spoofed.
>
> We can still see these and "secondary victims" (the people being  
> attacked by the attacked server returning the echo) in the wild.
>
> That's the simplest way of explaining this, and that is still a  
> risk. The amplification effect is what makes this especially  
> dangerous.
>
> 	Gadi.

----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck




More information about the dns-operations mailing list