[dns-operations] Weird TXT record

Mark Andrews marka at isc.org
Wed Jun 22 08:28:40 UTC 2011


In message <5E73D0A5-2F7B-4373-9F15-949E8C1551C9 at arbor.net>, "Dobbins, Roland" 
writes:
> On Jun 22, 2011, at 3:08 AM, Stephane Bortzmeyer wrote:
> 
> > Any public numbers about the relative importance of "DNSSEC query on a si=
> gned domain" vs. "a big TXT", in amplification attacks?
> 
> I don't have a validated set of stats, but have run into this anecdotally i=
> n the wild, with ~1.3KB DNSSEC responses as the blunt instrument.

Which is still just a packet.  Attacks like this can only be lauched
from ISP's that don't do proper egress filtering.  It's long past
the time when all ISP's should be in the position to perform egress
filtering.  It's been BCP for near a decade now.  Given this is
still happening it's time to talk to the politians about making
egress filtering law.  That way no ISP can say they are "disadvantaged"
because their competitor doesn't filter.

> > When you say "DNSSEC deployment has made it far easier", do you refer to =
> a theoretical analysis or to a real phenomenon seen in the wild
> 
> 
> I've run into it in the wild - it's mentioned on p. 54 of the Arbor 2010 WI=
> SR:
> 
> -----
> 
> Sixty-nine percent of respondents indicated they do not believe that drasti=
> cally increased DNS response sizes would present a new and even more easily=
>  abused vector for DNS reflection/amplification attacks (Figure 91). Intere=
> stingly, just after this report=92s survey was completed and opened for res=
> pondents to participate, Arbor observed several instances of DNSSEC-enabled=
>  reflection/amplification attacks taking place in several geographies simul=
> taneously.
> 
> -----
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
> 		The basis of optimism is sheer terror.
> 
> 			  -- Oscar Wilde
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list