[dns-operations] DNS Amplification Attacks

[Matt Pounsett]

On 21-Mar-2006, at 15:12 , Ondřej Surý wrote:

>
> Anyway if I had to choose between easy troubleshooting and open
> recursors used as attack vector OR not-so-easy troubleshooting and
> closed attack vector for bad guys, then I am for second option.

Oh, we're absolutely agreed on that point.  I just meant to point out  
one possible reason for operators to push back against closing open  
recursors.  I'm sure there are going to be operators out there less  
relaxed than I am about finding alternate means of discovering  
whether that piece of odd behaviour being reported by someone is  
actually just a broken DNS server outside my control.

> <demagogy :-)>
> You can easily argue that SMTP relays are excelent tool how to test  
> how
> is mail delivered to your mail server.
> </demagogy :-)>

Yes, but that's testing for a different problem.  The correct analogy  
would be testing whether a specific mail server on the 'net is able  
to interact properly with yours. :)

>> How about DNS looking glasses that would allow queries to local (to
>> the looking glass server) DNS servers using only a web interface?
>> Conceptually more or less exactly the same as the looking glasses  
>> used
>> for BGP queries offer.
>
> I am willing to prepare and provide such a tool.  We can create  
> ring of
> lg-recursors which would create tool for troubleshooting and allow  
> us to
> start hunt for open recursors.

This would be quite useful even though, as noted, it doesn't solve  
the whole problem of troubleshooting.

>
> Ondrej.
> P.S.: Please do not Cc: me I am subscribed to the list.

My apologies -- default behaviour of the mail client.

Matt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060321/9cac61b8/attachment.sig>