[dns-operations] DNS Amplification Attacks

Lutz Donnerhacke lutz at iks-jena.de
Wed Mar 22 09:45:28 UTC 2006


* Geo. wrote:
>> Botnets a plenty around the world, and implementing BCP38 won't make
>> the problem of open-recursers go away or become less manageable.
>
> Every Bot on a Botnet will have at least 2 recursive servers they are
> allowed to use, locking them down will not change that. A 20,000 bot network
> will have 40,000 dns servers to flood you with even after recursion is
> locked down.

How about use the pros of UDP? I patched my DNS server to send recursing
results with an TTL of 5 by default. If the software developers of DNS
servers would add an default TTL to UDP responses to not above 7, open dns
servers will not be the problem anyway.

This approach limits the amount of active parties to a handful, which is
easily managable. No further configuration required in usual deployment.
Fix the problem with or without spoofing.

What do I miss?



More information about the dns-operations mailing list