[dns-operations] DNS reflection useful without amplification?

Thu Sep 8 05:18:22 UTC 2016

On Wed, Sep 7, 2016 at 9:47 PM, Paul Vixie <paul at redbarn.org> wrote:
>
> Damian Menscher wrote:
>
>> On Wed, Sep 7, 2016 at 1:23 AM, Paul Vixie <paul at redbarn.org
>> <mailto:paul at redbarn.org>> wrote:
>>
>>     <http://www.circleid.com/posts/20130913_on_the_time_value_
>> of_security_features_in_dns/>)
>>
>> It's a fine claim, but is unrelated to the subject line of this thread,
>> "DNS reflection useful without amplification?"  You're simply claiming
>> amplification is useful for pps (as well as for bps), not that
>> amplification is not needed.
>>
>
> i should turn in my keyboard and stop writing, maybe. how can i make clear
> that reflection is an adequate motive for an attacker, and that only
> attenuation, at both the packet level and the octet level, will discourage
> such attackers? where "discourage" means making them find other
> non-attenuating reflectors.

Successful attacks rely on an asymmetry in the resources expended by the
attacker and the defender.  This is accomplished via various mechanisms:
  - synfloods attempt to be stateless for the attacker but stateful for the
victim
  - layer 7 attacks are cheap requests that require expensive processing
for the backend
  - amplification attacks magnify the bps and pps available to the attacker
by using third-party resources
  - botnets are another way to cheat (using someone else's resources)

As I said earlier in this thread, reflection without amplification is
nearly indistinguishable from a direct (spoofed) attack.  I suppose you
could argue that many attackers are too stupid to realize that?  But their
attacks are unlikely to be successful, so I'm guessing they'd figure it out
soon enough.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160907/ec764c3a/attachment.html>