[dns-operations] DNS reflection useful without amplification? (was: if you're banning ANY queries, don't forget to ban SOA as well)
Phil Regnauld
regnauld at nsrc.org
Wed Sep 7 11:30:57 UTC 2016
Roland Dobbins (rdobbins) writes:
> On 7 Sep 2016, at 14:37, Mark Andrews wrote:
>
> > Reflection requires more time to trace back to the source. You have to
> > trace from the target to the reflector then from the reflector to the
> > initiator.
> >
> > Reflection increases the number of streams that need to be chased back.
>
> +1
And for every intermediate layer, the likelihood that the ops running
the network that was used for amplification don't have proper [1]
instrumentation to identify where the attack came from, increases.
Which means more time working with *their* upstreams and, basically,
doing their job.
[1] Or, incorrect - hurray for non NTP synced logs, NATted hosts
with no tracking of inside hosts, etc.
More information about the dns-operations
mailing list