[dns-operations] Recently closed open resolver and reflection attacks

Casey Deccio casey at deccio.net
Wed Mar 6 16:48:07 UTC 2013

On Wed, Mar 6, 2013 at 8:36 AM, <WBrown at e1b.org> wrote:

> I recently help close down an open recursive resolver.  It is still
> getting a lot of queries for isc.org/ANY which get a refused response
> (unless slipped/dropped by RRL).  Granted, this doesn't amplify the attack
> since REFUSED is a fairly small packet, but it is still traffic to the
> attacked site.
Seems like a REFUSED response fits into its own RRL category.  Is there any
reason why name servers wouldn't simply drop them if they exceed the
configured RRL threshold--or even perhaps a lower threshold?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130306/68a3c447/attachment.html>

More information about the dns-operations mailing list