[dns-operations] Amplification attack today ?
lutz at iks-jena.de
Tue Mar 6 15:27:57 UTC 2007
* Paul Vixie wrote:
>> BTW: DDoS has nothing to do with open recursive resolvers.
> so, naturally, i'd prefer that we solve this by universal deployment of
> BCP38 [...]. however, those aren't practical goals. so we look at
> vectors, and when we look at vectors, open recursive nameservers make
> damned fine anonymous attack reflectors. in that light, i'd like to see
> them closed down unless they are tightly managed and monitored and
> open-on-purpose (like opendns).
DNSSEC is (even used in correct configuration) a great amplification tool
for attack. Will you stop it, too? What happens, if your Blackhole list is
mismanaged and some "supposed open" DNS servers are blocked by the root
servers? I suspect the liabilty question is hard.
OTOH I have not time and no money to sue an unknown fanatic blackhole list
maintainer. I'd prefer the Internet way and switch to other services i.e.
other root servers. I will not be alone.
More information about the dns-operations