[dns-operations] DNS reflection useful without amplification? (was: if you're banning ANY queries, don't forget to ban SOA as well)

Mark Andrews marka at isc.org
Wed Sep 7 07:37:03 UTC 2016

In message <CABSP1OeHAFYZDEbqXJCFUDYK6gT8cF6-x7cCukWd+2wxqBTjtQ at mail.gmail.com>, Damian Menscher writes:
> On Tue, Sep 6, 2016 at 8:16 PM, Shane Kerr <shane at time-travellers.org>
> wrote:
> >
> > At 2016-09-06 18:43:23 -0700
> > Paul Vixie <paul at redbarn.org> wrote:
> > > that could be fixed by always-return-TC on UDP ANY. but that would make
> > > ANY no less useful for DDoS, since reflection is the primary virtue, and
> > > amplification is a nice-to-have.
> >
> > I've seen you make this claim several times, which is to say that the
> > main benefit to an attacker is not amplification but rather reflection.
> >
> > In the past I've said that this seems dubious to me. After all, an
> > attacker that can use reflection can already spoof the source address
> > of their packets. Nevertheless I am wrong at least once every day
> > before breakfast, so I am happy to admit that I am wrong about this.
> >
> > So... can you or anyone else provide any some convincing evidence for
> > the utility of DNS reflection to an attacker? Has anyone seen their
> > servers be used in non-amplification DNS reflection attacks? Has anyone
> > been the victim of a non-amplification DNS reflection attack? (Of
> > course neither of those would actually prove real value to an attacker,
> > since people do things that don't help all the time, but at least it
> > means that attackers *think* that it has value.)
> >
> You're essentially correct... nearly all the value of DNS reflection is in
> the amplification.  If amplification weren't possible, it's highly likely
> they'd switch to some other protocol.  This is because amplification allows
> for asymmetry in the attack -- an attacker who controls 1Gbps can take down
> a 40Gbps datacenter.
> Those who claim reflection is sufficient are considering various minor edge
> cases:
>   - Perhaps the victim is a home user with only a 100Mbps connection.  In
> that case amplification is unnecessary.
>   - A victim with multiple upstreams might suffer only a partial loss from
> a direct attack saturating one link, while a reflected attack would
> naturally spread across their upstreams.
>   - Launching attacks "from" the victim might generate abuse complaints,
> etc.

Reflection requires more time to trace back to the source.  You have to
trace from the target to the reflector then from the reflector to the

Reflection increases the number of streams that need to be chased back.

> Damian
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list