[dns-operations] Recently closed open resolver and reflection attacks
WBrown at e1b.org
WBrown at e1b.org
Wed Mar 6 18:11:28 UTC 2013
Joe Abley <jabley at hopcount.ca> wrote on 03/06/2013 12:49:22 PM:
> On 2013-03-06, at 12:36, WBrown at e1b.org wrote:
> > Is there any reason why recursive queries to an authoritative server
> > would normally get a REFUSED reply shouldn't be dropped instead of
> > an answer?
> There's no amplification potential in sending such queries, so
> perhaps not much of a threat to defend against. As I understand your
> original message, now, RRL would presumably penalise repeat offenders.
True, there is no amplification, but there is traffic to the real owner of
the spoofed address. One machine could launch 1M spoofed queries to many,
many authoritative name servers which would happily send answers to the
target This may subject to rate limiting which would reduce the flood
some, but they just abuse more name servers to make up for it.
> There's always reduced ability to troubleshoot and the potential for
> time-outs when you don't send a reply at all.
Yes, the result of a dropped packet would be a timeout, which would have
to be handled at the source of the query.
> Suppressing REFUSED responses seems like potential risk and little
Benefit is not for me, but for the target of the flood - until I become
the target. :)
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations