[dns-operations] Amplification attack today ?

Mark Andrews Mark_Andrews at isc.org
Wed Feb 28 23:24:40 UTC 2007

> On Mittwoch, 28. Februar 2007 16:23 Rob Thomas wrote:
> > There is an =A0
> > on-going 1.4Gbps DNS amplification attack using 175K open recursive =A0
> > name servers, but it is hitting approximately three targets in the
> > US.
> Maybe someone should establish an RBL for bad DNS servers, and all root=20
> servers should block DNS queries from them? By this, you will for sure=20
> get the attraction of that servers admin, and they must fix their=20
> servers. It's a bit like RBLs for e-mails servers today, admins get to=20
> fix it quite quickly these days.

	Maybe someone should realise that the DNS servers are not
	the problem.  The problem is people allowing spoofed traffic
	to leave their networks.

		spoofed traffic -> DNS server -> target

	This attack can use both authoritative and recursive servers.
	Do you really want to stop *all* DNS traffic?  That is the
	logical progression of blaming the DNS server operators.

	Yes, cutting the number of reflectors will help marginally.
	There are however millions of authoritative servers that can
	also be used as amplifiers and they can't be disabled.

> mfg zmi
> =2D-=20
> // Michael Monnerie, Ing.BSc    -----      http://it-management.at
> // Tel: 0676/846 914 666                      .network.your.ideas.
> // PGP Key:        "curl -s http://zmi.at/zmi4.asc | gpg --import"
> // Fingerprint: EA39 8918 EDFF 0A68 ACFB  11B7 BA2D 060F 1C6F E6B0
> // Keyserver: www.keyserver.net                   Key-ID: 1C6FE6B0
> --nextPart16088323.XIMMzykGKE
> Content-Type: application/pgp-signature
> Version: GnuPG v1.4.5 (GNU/Linux)
> iD8DBQBF5gs0ui0GDxxv5rARAtluAJ9LECEZ1Hljc9v74IK2BbVQ0p/b7gCdFtA8
> X5ZfbL4V+hTkfKhrsPTzZ8s=
> =kFon
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list