[dns-operations] DNS ANY requests / UltraDNS

Javy de Koning javy1986 at gmail.com
Thu Jan 10 09:04:28 UTC 2013


I agree that both approaches do not help against reflection. However, they do take away the amplification making the attack less attractive. 

09:47:34.587094 IP localhost.41054 > localhost.domain: 16533+ [1au] ANY? prague.studlab.os3.nl. (50)
09:47:34.587501 IP localhost.domain > localhost.41054: 16533*|$ 0/0/1 (50)

-Javy

On Jan 10, 2013, at 9:34 AM, Lutz Donnerhacke <lutz at iks-jena.de> wrote:

> * Colm MacCárthaigh wrote:
>> On Wed, Jan 9, 2013 at 4:24 PM, Scott Brynen
>> <scott.brynen at visioncritical.com> wrote:
>>> In an interesting development to this, UltraDNS are starting to REFUSE a
>>> UDP/ANY request on some of their name servers.
>> 
>> Considering that a status=REFUSED response is exactly as large as a
>> TC=1 response with no answer section, is there a technical benefit to
>> responding with REFUSED?
> 
> Both approches does not help. The traffic generated by such small answers to
> spoofed queries is still sufficient to bring the target down. Be there, done
> that, got sued.
> 
> That's why I switched to a much more aggressive "DNS dampening".
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs




More information about the dns-operations mailing list