[dns-operations] DNS reflection useful without amplification? (was: if you're banning ANY queries, don't forget to ban SOA as well)

Phil Regnauld regnauld at nsrc.org
Wed Sep 7 11:30:57 UTC 2016

Roland Dobbins (rdobbins) writes:
> On 7 Sep 2016, at 14:37, Mark Andrews wrote:
> > Reflection requires more time to trace back to the source.  You have to
> > trace from the target to the reflector then from the reflector to the
> > initiator.
> >
> > Reflection increases the number of streams that need to be chased back.
> +1

	And for every intermediate layer, the likelihood that the ops running
	the network that was used for amplification don't have proper [1]
	instrumentation to identify where the attack came from, increases.
	Which means more time working with *their* upstreams and, basically,
	doing their job.

	[1] Or, incorrect - hurray for non NTP synced logs, NATted hosts
	with no tracking of inside hosts, etc.

More information about the dns-operations mailing list