[dns-operations] DNS deluge for x.p.ctrc.cc
Tony Finch
dot at dotat.at
Tue Feb 28 12:31:41 UTC 2006
On Mon, 27 Feb 2006, Geo. wrote:
>
> What problem is left unattended with DNS if you cannot spoof UDP
> packets?
Perhaps something along the lines of: the attacker sets up an NS record to
point to the victim, and then gets lots of recursive resolvers to query
for names that the NS record says the victim knows about. This gives the
attacker both reflection from the query recursion and amplification from
the retries. However the attacker has to be able to cope with the SERVFAIL
replies from the resolvers, and the resolvers can mitigate the attack by
identifying broken nameservers and not sending queries to them.
Tony.
--
f.a.n.finch <dot at dotat.at> http://dotat.at/
SOLE: NORTH 4 OR 5, OCCASIONALLY 6 LATER IN EAST. SHOWERS LATER. MAINLY GOOD.
More information about the dns-operations
mailing list