[dns-operations] Amplification attack today ?

Lutz Donnerhacke lutz at iks-jena.de
Tue Mar 6 15:27:57 UTC 2007


* Paul Vixie wrote:
>> BTW: DDoS has nothing to do with open recursive resolvers.
>
> so, naturally, i'd prefer that we solve this by universal deployment of
> BCP38 [...].  however, those aren't practical goals.  so we look at
> vectors, and when we look at vectors, open recursive nameservers make
> damned fine anonymous attack reflectors.  in that light, i'd like to see
> them closed down unless they are tightly managed and monitored and
> open-on-purpose (like opendns).

DNSSEC is (even used in correct configuration) a great amplification tool
for attack. Will you stop it, too? What happens, if your Blackhole list is
mismanaged and some "supposed open" DNS servers are blocked by the root
servers? I suspect the liabilty question is hard.

OTOH I have not time and no money to sue an unknown fanatic blackhole list
maintainer. I'd prefer the Internet way and switch to other services i.e.
other root servers. I will not be alone.


More information about the dns-operations mailing list