[dns-operations] DNS reflection useful without amplification?

Damian Menscher damian at google.com
Fri Sep 9 19:53:14 UTC 2016


On Thu, Sep 8, 2016 at 1:48 AM, Phil Regnauld <regnauld at nsrc.org> wrote:

> Paul Vixie (paul) writes:
> > Damian Menscher wrote:
> > >> ...
> > >As I said earlier in this thread, reflection without amplification is
> > >nearly indistinguishable from a direct (spoofed) attack.  ...
> >
> > and as i, and roland, and others have all said, the distinction is more
> > notable in our experience than in your claim.
>
>         Lots more work tracking down the source, especially if the
> initiator
>         is using multiple reflectors for diversity. Instead of a single
>         backtrack, it could be 5-10. Knock down one, 9 to go :(


Tracing a reflected attack is slightly more difficult than tracing a direct
attack, but not for the reasons you claim.  It's because you need to
convince those operating reflectors to perform that traceback for you, and
in general they have no incentive to help.

> when calling NOC's looking for bumps in traffic graphs that might only
> match
> > to one or two sigmas, a reflected attack is in practical terms
> untraceable.
>
>         It is indeed a pain.


Tracing spoofed traffic is easy if you use the right tools (netflow) rather
than trying to look for bumps in traffic.

Paul is correct here that many poorly-run networks don't collect or know
how to analyze netflow, making their jobs much harder.  For those
constrained to look for bumps, it's worth noting that it gets easier as you
get closer to the source, but even getting near it can be quite
challenging.  One trick is to simply deploy counters watching for udp/53
traffic (and 123, and 1900, and 19, and ...) -- the top sources should
stand out.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160909/3442ea14/attachment.html>


More information about the dns-operations mailing list