[dns-operations] DNS Amplification Attacks

Ondřej Surý ondrej.sury at nic.cz
Tue Mar 21 15:14:25 UTC 2006

On Mon, 2006-03-20 at 23:32 -0500, Geo. wrote:
> Neither solution is perfect but one will make the attackers easier to find
> while the other will take 1 toy away from them.

I just don't understand why you are so against shutting down open
recursors, I see that we need to do two things:

1. close down open recursors
2. push network operators to implement BCP38

Number two will take much more time and resources then number one.  I
suggest we start with number one and meanwhile also start with number
two in parallel with number one.  In ideal world you will end with no
open recursors and no non-BCP38 networks, in real world you will end
with small number of open recursors (which could be easily cut down on
victim perimeter) and somewhat smaller number of non-BCP38 networks.  At
least we can cut out one vector of attack (with quite high amplification
ratio) in relatively small time frame.

 Ondřej Surý
 technický ředitel/Chief Technical Officer
 CZ.NIC, z.s.p.o.  --  .cz domain registry
 Lužná 591, 160 00 Praha 6, Czech Republic
 mailto:ondrej.sury at nic.cz  http://nic.cz/
 tel:+420 222 745 110 fax:+420 220 121 184
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5888 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060321/98472374/attachment.bin>

More information about the dns-operations mailing list