[dns-operations] Amplification attack today ?

Paul Vixie paul at vix.com
Tue Mar 6 14:54:37 UTC 2007

> Every centralized structure is vulnerable to DDoS.  The only possible
> solution is to decentralize, i.e. set up DNS root servers on each ISP and
> limit the rate of cross AS DNS queries to root servers.

you had my agreement until that last part.  AS112 is an example of truly
decentralized name service, where every ISP is now capable of running their
own name server for 10.IN-ADDR.ARPA et al.  it's working well, if by working
we mean "keeps microsoft windows machines from sending their PTR updates to
the root name servers like before AS112".  but i would never consider this
kind of "unowned anycast" for serious name service where answers mattered.

> A practical solution is anycast: You can't attack a foreign server.

well, you can, if you traceroute to it and then attack the upstream link.  but
at least ddos's that go to the official advertised address are sunk locally.

> BTW: DDoS has nothing to do with open recursive resolvers.

so, naturally, i'd prefer that we solve this by universal deployment of BCP38
and by converting a hundred million bot-infestable windows computers to run
linux.  however, those aren't practical goals.  so we look at vectors, and
when we look at vectors, open recursive nameservers make damned fine anonymous
attack reflectors.  in that light, i'd like to see them closed down unless
they are tightly managed and monitored and open-on-purpose (like opendns).

More information about the dns-operations mailing list