[dns-operations] Recently closed open resolver and reflection attacks

[WBrown at e1b.org]

I recently help close down an open recursive resolver.  It is still 
getting a lot of queries for isc.org/ANY which get a refused response 
(unless slipped/dropped by RRL).  Granted, this doesn't amplify the attack 
since REFUSED is a fairly small packet, but it is still traffic to the 
attacked site. 

Given that no properly configured server should be querying this recursive 
name server for isc.org, why should it respond with anything?  Why not 
just drop the packet for any recursive request if it is not going to 
answer it.  I supposed in the good old days, it was polite to say, "Sorry, 
I can't answer that."  We also used to accept unsolicited commercial 
emails.  The RFCs state we should either reject during SMTP or if we 
accept a message, we should either deliver or generate a delivery failure. 
 Now we filter and drop spam on the floor.

I don't see these recursive requests as much different than spam

-- 

William Brown
Core Hosted Application Technical Team and Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.