[dns-operations] DNS Amplification in numbers

Jart Armin jart at jartarmin.com
Fri Nov 9 16:41:40 UTC 2012

Thanks Lutz,

Very useful findings which mirror our ongoing analysis, partly
reported here http://www.pcadvisor.co.uk/news/security/3407302/open-dns-resolvers-increasingly-abused-amplify-ddos-attacks-report-says/

On 42 DDoS attacks recently measured, around 140,000 IPs resulted in
around 8% are potential reflection and amplification relays. What we
can say, 97% of the 11,189, essentially all were: open recursive
resolvers, misconfigured, older systems, and mostly running mobile

What was interesting was the analysis of the attackers within the
study. The only ones really identified were RFI scanners / hackers in
a few cases, pounding away via multiple spoofed IPs, with very small

On Fri, Nov 9, 2012 at 1:15 PM, Lutz Donnerhacke <lutz at iks-jena.de> wrote:
> About 7% of hosted servers are open relays causing between 20 to 80% of DNS
> traffic when misused by DNS reflection and amplification attacks.
> Which numbers do you see?
> http://lutz.donnerhacke.de/eng/Blog/DNS-Amplicfication-in-the-eyes-of-a-hosting-provider
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Jart Armin - CyberDefcon  HostExploit

More information about the dns-operations mailing list