[dns-operations] Why reflection is used

Bob Harold rharolde at umich.edu
Mon Apr 1 13:59:32 UTC 2013

I have heard that DNS reflection is used for:

1. Amplification (this is usually assumed to be the main reason)

2. Make it harder to find the original sender (this is usually assumed to
be a secondary reason, or even only a side-effect)

What I have not heard, but assume might be a reason:

3. Send traffic through a different path.  The (spoofed, victim) IP being
attacked might have more than one connection to the "internet", or their
ISP at least should have more than one connection.  Sending traffic
directly will most likely only take one path, and congestion or limiting on
that path might limit the amount of traffic that reaches the victim.
Reflecting packets off various other (DNS) servers allows traffic to be
sent to the client from multiple directions.  (For those that don't already
have a distributed botnet at their disposal.)

Even if we solve DNS Amplification, reasons 2 and 3 seem sufficient for
attackers to continue to use reflection.

Bob Harold
DNS operator
University of Michigan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130401/0f7eedc2/attachment.html>

More information about the dns-operations mailing list