[dns-operations] DNS deluge for x.p.ctrc.cc

Mark Andrews Mark_Andrews at isc.org
Mon Feb 27 22:11:44 UTC 2006


> > Why bother testing if its recursive if either way its going to send packets
> > back to a victim?  Sure its a smaller payload but its still an attack
> > vector.
> 
> In that case it would just be a standard reflective attack, virtually no
> amplification.  The same could be said of just about any protocol where a
> spoofed query would elicit a response (icmp, tcp, etc).  The problem to keep
> in mind is the amplification effect caused by open recursive servers and the
> ability to spoof requests towards them.

	Recursive is redundant in the above sentence.  Just about
	any DNS response to a QUERY is a amplification.  RUFUSED
	is normally 1:1, FORMERR is about the only response that
	should result in a reduction

	While I think caching servers should be protecting themselves
	from arbitary recursives queries for reasons totally unrelated
	to the issue under discussion.  I don't think closing them
	down for this does much more than hide the initial query
	streams.

	Sure go ahead and inform the open servers, if only for their
	own protection, but it will have little effect on this problem.
  
	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list