[dns-operations] DNS reflection useful without amplification?

Damian Menscher damian at google.com
Thu Sep 8 05:18:22 UTC 2016

On Wed, Sep 7, 2016 at 9:47 PM, Paul Vixie <paul at redbarn.org> wrote:
> Damian Menscher wrote:
>> On Wed, Sep 7, 2016 at 1:23 AM, Paul Vixie <paul at redbarn.org
>> <mailto:paul at redbarn.org>> wrote:
>>     <http://www.circleid.com/posts/20130913_on_the_time_value_
>> of_security_features_in_dns/>)
>> It's a fine claim, but is unrelated to the subject line of this thread,
>> "DNS reflection useful without amplification?"  You're simply claiming
>> amplification is useful for pps (as well as for bps), not that
>> amplification is not needed.
> i should turn in my keyboard and stop writing, maybe. how can i make clear
> that reflection is an adequate motive for an attacker, and that only
> attenuation, at both the packet level and the octet level, will discourage
> such attackers? where "discourage" means making them find other
> non-attenuating reflectors.

Successful attacks rely on an asymmetry in the resources expended by the
attacker and the defender.  This is accomplished via various mechanisms:
  - synfloods attempt to be stateless for the attacker but stateful for the
  - layer 7 attacks are cheap requests that require expensive processing
for the backend
  - amplification attacks magnify the bps and pps available to the attacker
by using third-party resources
  - botnets are another way to cheat (using someone else's resources)

As I said earlier in this thread, reflection without amplification is
nearly indistinguishable from a direct (spoofed) attack.  I suppose you
could argue that many attackers are too stupid to realize that?  But their
attacks are unlikely to be successful, so I'm guessing they'd figure it out
soon enough.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160907/ec764c3a/attachment.html>

More information about the dns-operations mailing list