[dns-operations] Why reflection is used

Dobbins, Roland rdobbins at arbor.net
Mon Apr 1 14:25:09 UTC 2013


On Apr 1, 2013, at 8:59 PM, Bob Harold wrote:

> Even if we solve DNS Amplification, reasons 2 and 3 seem sufficient for attackers to continue to use reflection.

It's easy enough to utilize a botnet.  Some attackers are very aware of pathing, and take care to saturate multiple links, or attack infrastructure devices on multiple paths, etc.

One of the ideas behind reflection, especially of DNS traffic, is that it makes it more difficult to classify attack traffic from legitimate traffic.  There are ways to detect and classify this traffic, but many folks don't understand how to do so.

Reflection/amplification is utilized to leverage SNMP, ntp, and various UDP-based game servers, as well.

If we could somehow simply remove the ability to amplify, that would be a significant victory.  Removing the ability to spoof removes both the ability to amplify and the ability to reflect in the first place.

So, a two-pronged approach of a) BCP38/84 plus b) hunting down and fixing open recursors is in order.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the dns-operations mailing list