[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

DTNX Postmaster postmaster at dtnx.net
Tue Jun 12 18:22:29 UTC 2012

On Jun 10, 2012, at 23:59, Kyle Creyts wrote:

> On Sun, Jun 10, 2012 at 2:33 PM, Paul Vixie <paul at redbarn.org> wrote:
>>> I'm afraid we may need more control. If my clients are generating a DDoS
>>> attack at 20 responses per second, and I limit this to 5 per second -
>>> the C&C can get the same effect by mobilizing four times as many clients
>>> to do the job.
>> no. the client ip is spoofed. the number of spoofers doesn't matter,
>> when the reflector is looking at both the apparent client ip and the
>> intended response. when most well-provisioned authority servers are
>> running with some kind of rate limiting, then the only way to do a
>> reflective amplifying ddos will be (a) do it through recursive not
>> authority servers, or (b) send a small number of queries to a large
>> number of authority servers, or (c) switch to some other wide area udp
>> such as ntp or snmp or syslog or whatever.
> Someone mentioned that as soon as the spoofed client is blocked, that
> a new spoofed client is used... This behavior seems... strange. How
> quick is this shift? How would one know when to shift the target? The
> modes I _can_ come up with largely involve having some sort of
> information about what is reaching the target. (bandwidth or traffic
> sources) This just leads to more interesting questions about those
> perpetrating the attacks, and their intent. Is there an obvious way of
> discerning the time to switch targets that I am missing? Is this a
> non-interesting topic?

From what I've seen, in our specific case, the apparent source address 
seems to swap every thousands requests or so, with a few exceptions. 

This is from running dnstop on our auth nameservers for a few hours.


More information about the dns-operations mailing list