[dns-operations] Configurable TC=1?

Roland Dobbins rdobbins at arbor.net
Mon Dec 21 08:52:26 UTC 2015

On 21 Dec 2015, at 15:22, Anand Buddhdev wrote:

> A recent attack I witnessed involved flooding the victim name server 
> with *responses*.

In other words, this DNS server was itself the victim of a naive DNS 
reflection/amplification attack.

Authoritative, or recursive (hopefully not both)?

The sad part is that naive attacks like this succeed all too often due 
to the unpreparedness of the defenders (see below).

> The attacker was just sending queries for a domain that none of these 
> servers were carrying (and some weren't even running a name server), 
> and so the victim address was flooded with one of the above.

FYI, this is not a typical DNS reflection/amplification attack 
methodology.  It is a very naive attack.

Note that if the targeted server was in fact an authoritative-only 
server, the deployment of situationally-appropriate network access 
policies in the form of ACLs on hardware-based routers and/or layer-3 
switches would probably suffice to keep the attack traffic from reaching 
the targeted server itself.

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list