[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Tue Feb 28 02:04:06 UTC 2006

# ...  If open resolvers are all taken off the net whats to stop the botnets
# from sending enough queries to the root servers with spoofed sources to
# accomplish the same goal?  Sure it takes more packets but ...

any time we can make more work for the attackers, we help ourselves.  there
is no FUSSP (see http://www.rhyolite.com/anti-spam/you-might-be.html for more)
and we're just going to have to play out-innovate with the bad guys, for all
time.  any time we find an abusable service that's not actually necessary in
its abusable form (like fingerd/finger forwarding, or open mail relays, or
lpd/lpr forwarding, or whois forwarding, or trivial-to-guess passwords that
never expire) we have to treat it as a good-guy-innovates opportunity, even
if the result is an internet with less feel-good-itude than we came here for
or than some of us remember from the internet's relative youth.

# Why bother testing if its recursive if either way its going to send packets 
# back to a victim? Sure its a smaller payload but its still an attack vector.

it's more packets for them.  more work.  more detectability.  more cost for
the fence-sitting middlemen who sit on the beneficial side of the assymetric
cost:benefit relationship that enables most of these attacks to succeed more
than once.

More information about the dns-operations mailing list