[dns-operations] DNS Amplification Attacks

Geo. geoincidents at nls.net
Tue Mar 21 04:32:52 UTC 2006

> this topic has heated back up on nanog.  for those not subscribed there:

(/polite mode on) My one post over here for the day.

Back when we shut down open relay mail servers to address the spam problem
we ignored the spoofing issue, with mail it was spoofing the FROM: address.

Because we ignored that, today we have no open relay servers yet we still
have spam, phishing, joe-jobs, email virus, etc because we did not address
the anonymous aspect of spoofing the FROM address. That actually would have
been a very difficult thing to fix without reworking smtp but we are no in
the process of doing exactly that in order to address these other anonymous
source problems.

We have the same thing now with the dns flooding issue, we have open
recursive servers and we have a spoofing aspect which is really what makes
this such an attractive attack vector. The amplification aspect is a nice
feature for an attack vector but lets face it, if you have a 20,000 bot
network you don't really need it. However being able to use that network
without exposing the bots (spoofed traffic is such a bear to track) well
that's the draw.

But we have something now we didn't have with FROM spoofing, we have a
fairly easy fix and the only tough part is getting people to implement it. I
know Paul correctly pointed out the problems with making the world
spoofproof and I see his point of view but from the point of view of the
guys on the front lines at every ISP closing down open recursive servers
isn't going to be a piece of cake either and it's not going to solve the
problem of dns flooding although it will remove this one vector.

It will still be possible to use a bot network to flood from the recursive
servers those bots are allowed to use, it will still be possible to use
spoofed UDP to infect thousands of machines (sqlslammer is an example), it
will still be possible to control bots via spoofed UDP commands, the
anonymous aspect will remain and the focus on BCP38 will be diminished
because closing open recursive will be what the media picks up.

Neither solution is perfect but one will make the attackers easier to find
while the other will take 1 toy away from them.


More information about the dns-operations mailing list