[dns-operations] Amplification attack today ?
Mark Andrews
Mark_Andrews at isc.org
Wed Feb 28 23:24:40 UTC 2007
> On Mittwoch, 28. Februar 2007 16:23 Rob Thomas wrote:
> > There is an =A0
> > on-going 1.4Gbps DNS amplification attack using 175K open recursive =A0
> > name servers, but it is hitting approximately three targets in the
> > US.
>
> Maybe someone should establish an RBL for bad DNS servers, and all root=20
> servers should block DNS queries from them? By this, you will for sure=20
> get the attraction of that servers admin, and they must fix their=20
> servers. It's a bit like RBLs for e-mails servers today, admins get to=20
> fix it quite quickly these days.
Maybe someone should realise that the DNS servers are not
the problem. The problem is people allowing spoofed traffic
to leave their networks.
spoofed traffic -> DNS server -> target
This attack can use both authoritative and recursive servers.
Do you really want to stop *all* DNS traffic? That is the
logical progression of blaming the DNS server operators.
Yes, cutting the number of reflectors will help marginally.
There are however millions of authoritative servers that can
also be used as amplifiers and they can't be disabled.
Mark
> mfg zmi
> =2D-=20
> // Michael Monnerie, Ing.BSc ----- http://it-management.at
> // Tel: 0676/846 914 666 .network.your.ideas.
> // PGP Key: "curl -s http://zmi.at/zmi4.asc | gpg --import"
> // Fingerprint: EA39 8918 EDFF 0A68 ACFB 11B7 BA2D 060F 1C6F E6B0
> // Keyserver: www.keyserver.net Key-ID: 1C6FE6B0
>
> --nextPart16088323.XIMMzykGKE
> Content-Type: application/pgp-signature
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQBF5gs0ui0GDxxv5rARAtluAJ9LECEZ1Hljc9v74IK2BbVQ0p/b7gCdFtA8
> X5ZfbL4V+hTkfKhrsPTzZ8s=
> =kFon
> -----END PGP SIGNATURE-----
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list