[dns-operations] DNS deluge for x.p.ctrc.cc
Mark Andrews
Mark_Andrews at isc.org
Mon Feb 27 22:11:44 UTC 2006
> > Why bother testing if its recursive if either way its going to send packets
> > back to a victim? Sure its a smaller payload but its still an attack
> > vector.
>
> In that case it would just be a standard reflective attack, virtually no
> amplification. The same could be said of just about any protocol where a
> spoofed query would elicit a response (icmp, tcp, etc). The problem to keep
> in mind is the amplification effect caused by open recursive servers and the
> ability to spoof requests towards them.
Recursive is redundant in the above sentence. Just about
any DNS response to a QUERY is a amplification. RUFUSED
is normally 1:1, FORMERR is about the only response that
should result in a reduction
While I think caching servers should be protecting themselves
from arbitary recursives queries for reasons totally unrelated
to the issue under discussion. I don't think closing them
down for this does much more than hide the initial query
streams.
Sure go ahead and inform the open servers, if only for their
own protection, but it will have little effect on this problem.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list