[dns-operations] DNS reflection useful without amplification? (was: if you're banning ANY queries, don't forget to ban SOA as well)

Shane Kerr shane at time-travellers.org
Wed Sep 7 03:16:47 UTC 2016


At 2016-09-06 18:43:23 -0700
Paul Vixie <paul at redbarn.org> wrote:
> that could be fixed by always-return-TC on UDP ANY. but that would make 
> ANY no less useful for DDoS, since reflection is the primary virtue, and 
> amplification is a nice-to-have.

I've seen you make this claim several times, which is to say that the
main benefit to an attacker is not amplification but rather reflection.

In the past I've said that this seems dubious to me. After all, an
attacker that can use reflection can already spoof the source address
of their packets. Nevertheless I am wrong at least once every day
before breakfast, so I am happy to admit that I am wrong about this.

So... can you or anyone else provide any some convincing evidence for
the utility of DNS reflection to an attacker? Has anyone seen their
servers be used in non-amplification DNS reflection attacks? Has anyone
been the victim of a non-amplification DNS reflection attack? (Of
course neither of those would actually prove real value to an attacker,
since people do things that don't help all the time, but at least it
means that attackers *think* that it has value.)

I'm happy to take replies off-list, although I don't think this should
be especially confidential. :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160907/6ba26375/attachment.sig>

More information about the dns-operations mailing list