[dns-operations] Configurable TC=1?
Roland Dobbins
rdobbins at arbor.net
Mon Dec 21 08:52:26 UTC 2015
On 21 Dec 2015, at 15:22, Anand Buddhdev wrote:
> A recent attack I witnessed involved flooding the victim name server
> with *responses*.
In other words, this DNS server was itself the victim of a naive DNS
reflection/amplification attack.
Authoritative, or recursive (hopefully not both)?
The sad part is that naive attacks like this succeed all too often due
to the unpreparedness of the defenders (see below).
> The attacker was just sending queries for a domain that none of these
> servers were carrying (and some weren't even running a name server),
> and so the victim address was flooded with one of the above.
FYI, this is not a typical DNS reflection/amplification attack
methodology. It is a very naive attack.
Note that if the targeted server was in fact an authoritative-only
server, the deployment of situationally-appropriate network access
policies in the form of ACLs on hardware-based routers and/or layer-3
switches would probably suffice to keep the attack traffic from reaching
the targeted server itself.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list