[dns-operations] Amplification attack today ?

Olaf M. Kolkman olaf at NLnetLabs.nl
Fri Mar 2 10:56:53 UTC 2007

On 1Mar 2007, at 12:11 AM, John Payne wrote:

>> On Mittwoch, 28. Februar 2007 16:23 Rob Thomas wrote:
>>> There is an
>>> on-going 1.4Gbps DNS amplification attack using 175K open recursive
>>> name servers, but it is hitting approximately three targets in the
>>> US.
>> Maybe someone should establish an RBL for bad DNS servers, and all
>> root
>> servers should block DNS queries from them? By this, you will for  
>> sure
>> get the attraction of that servers admin, and they must fix their
>> servers. It's a bit like RBLs for e-mails servers today, admins  
>> get to
>> fix it quite quickly these days.
> Unfortunately... unless the blocking list is at the network level
> it's probably several orders of magnitude of extra work _not_ to
> service that request than to service it.

If I understand the proposal well, the purpose of the blocking by the  
root-servers is to make the "open recursors" aware of the fact that  
they are 'open' by denying them service. So all this work would be a  
public service.

Still John's argument holds. It is not realistic for the root-servers  
to query the DNS 40.000 times per second to see if it should deny  
service to the resolver contacting it. Even when it would be possible  
to maintain the blacklist locally I do not think the root-servers  
should be playing internet police.

And just as with mail-blacklists the folk that are the false  
positives will suffer badly.

I am ready to dismiss this idea.


Olaf M. Kolkman
NLnet Labs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 227 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070302/e83e5576/attachment.sig>

More information about the dns-operations mailing list