[dns-operations] Force TCP for external quereis to Open Resolvers?

Fred Morris m3047 at m3047.net
Sun Mar 31 19:16:00 UTC 2013


On Sun, 31 Mar 2013, Jim Reid wrote:
> Remember too that in these DDoS attacks truncated UDP responses would
> still be going to spoofed addresses. So those victims still get hit,
> albeit without the amplification factor of a chubby DNS response.

Yes. But there's no reason for them to abuse the DNS (no reason not to,
either) as they can send packets with spoofed source addresses directly at
the target. They're doing it anyway to direct them at the intermediate DNS
resource: but they could just cut the middleman out altogether and spoof a
fat DNS response from your nameserver, couldn't they? Or anything else.
Point is, since they spoof source addresses, they can spoof source
addresses; it's not even a tautalogy, it's identity.

They're doing it for the amplification.

--

Fred Morris




More information about the dns-operations mailing list