[dns-operations] DNS reflection useful without amplification? (was: if you're banning ANY queries, don't forget to ban SOA as well)

Roland Dobbins rdobbins at arbor.net
Wed Sep 7 03:32:39 UTC 2016

On 7 Sep 2016, at 10:16, Shane Kerr wrote:

>  After all, an attacker that can use reflection can already spoof the 
> source address of their packets.

I already addressed this (heh) earlier in the thread.

> So... can you or anyone else provide any some convincing evidence for
> the utility of DNS reflection to an attacker?

It's already been explained in this thread, multiple time.

> Has anyone seen their servers be used in non-amplification DNS 
> reflection attacks?

No, because amplification is 'free'.  Were amplification *not* 'free', 
attackers would still use reflection - that's the point.

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list