[dns-operations] DNS deluge for x.p.ctrc.cc

Tim Wilde twilde at dyndns.com
Mon Feb 27 00:50:12 UTC 2006

On Mon, 27 Feb 2006, Paul Vixie wrote:

> since such servers would be doing nothing wrong, there'd be no basis for
> shunning them.  still, some kind of WRED could be employed at the victim's
> border if the number of servers sending these big responses was small enough.
> my gut-level assumption is that there won't be 580K authority servers (or
> 122K or 1M or whatever) available to participate in this kind of amplification
> the way that's currently being seen with open recursive servers.  (right?)

Well...  I don't know how many physical DNS servers say, Akamai, or 
UltraDNS actually have deployed, but if the large legitimate RRSET was 
served by one of them, and the attackers could harvest a list of all of 
the physical instances (via, for instance, whoareyou.ultradns.net), I 
could imagine them getting a good number of (very well-connected) sources 
amplifying for them.  Still nowhere near the tens/hundreds of thousands 
(unless Akamai/UltraDNS/others are FAR more widely deployed than I 
imagine), but probably more than just tens.

As has been mentioned before, the full solution comes down to the age old 
problem of proper spoof prevention throughout the 'net.  Not exactly an 
easy one to solve, though.


Tim Wilde
twilde at dyndns.com
Systems Administrator
Dynamic Network Services, Inc.

More information about the dns-operations mailing list