[dns-operations] Force TCP for external quereis to Open Resolvers?

Paul Vixie paul at redbarn.org
Sun Mar 31 19:17:51 UTC 2013



Fred Morris wrote:
> On Sun, 31 Mar 2013, Jim Reid wrote:
>> Remember too that in these DDoS attacks truncated UDP responses would
>> still be going to spoofed addresses. So those victims still get hit,
>> albeit without the amplification factor of a chubby DNS response.
>
> Yes. But there's no reason for them to abuse the DNS (no reason not to,
> either) as they can send packets with spoofed source addresses directly at
> the target. They're doing it anyway to direct them at the intermediate DNS
> resource: but they could just cut the middleman out altogether and spoof a
> fat DNS response from your nameserver, couldn't they? Or anything else.
> Point is, since they spoof source addresses, they can spoof source
> addresses; it's not even a tautalogy, it's identity.
>
> They're doing it for the amplification.

i mostly agree. however, reflection offers one other minor boon, which
is a longer traceback path. that's why RRL attenuates both the packet
size and packet count. the deal we're offering attackers is, you can
reflect through here, but it'll cost you a lot more. we think the
residual benefit of reflection is not worth the attacker's cost, if they
have to send both more and larger packets than will be seen by the victim.

paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130331/b998b287/attachment.html>


More information about the dns-operations mailing list