[dns-operations] DNS amplification attacks in draft-ietf-savi-threat-scope-08

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu May 16 07:44:29 UTC 2013


IETF document
<http://www.rfc-editor.org/internet-drafts/draft-ietf-savi-threat-scope-08.txt> 
(approved by IESG and currently in the RFC Editor Queue) contains:

>   DNS is one of the common targets of such attacks.  The
>   amplification factor observed for attacks targeting DNS root and
>   other top level domain name infrastructure in early 2006 was on
>   the order of 76:1.

Two things puzzle me: I'm not sure of what attack they are referring
to since there is no reference in the RFC. Is it the one discussed in
tge "DNS deluge for x.p.ctrc.c" thread on the NANOG mailing list in
february 2006?

And the second is the mentioned amplification factor. All the DNS
servers I know limit the size of the UDP answer to 4 096 bytes, 4 144
with the IPv4 and UDP headers. A factor of 76:1 needs requests smaller
or equal to 54 bytes, which leaves only SIX bytes for the DNS
message... How did they reach this number?



More information about the dns-operations mailing list