[dns-operations] Recently closed open resolver and reflection attacks

[WBrown at e1b.org]

Joe Abley <jabley at hopcount.ca> wrote on 03/06/2013 12:49:22 PM:

> On 2013-03-06, at 12:36, WBrown at e1b.org wrote:
> 
> > Is there any reason why recursive queries to an authoritative server 
that 
> > would normally get a REFUSED reply shouldn't be dropped instead of 
getting 
> > an answer?
> 
> There's no amplification potential in sending such queries, so 
> perhaps not much of a threat to defend against. As I understand your
> original message, now, RRL would presumably penalise repeat offenders.

True, there is no amplification, but there is traffic to the real owner of 
the spoofed address.  One machine could launch 1M spoofed queries to many, 
many authoritative name servers which would happily send answers to the 
target This may subject to rate limiting which would reduce the flood 
some, but they just abuse more name servers to make up for it.
 
> There's always reduced ability to troubleshoot and the potential for
> time-outs when you don't send a reply at all.

Yes, the result of a dropped packet would be a timeout, which would have 
to be handled at the source of the query. 
 
> Suppressing REFUSED responses seems like potential risk and little 
benefit.

Benefit is not for me, but for the target of the flood - until I become 
the target. :)



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.