[dns-operations] Slow Drip DDOS Attack Research

Renee Burton rburton at infoblox.com
Wed Nov 7 11:25:43 UTC 2018


Thanks, too, for the comment.  As the literature over the last four years show -- plus lots of messages on this forum -- the real damage is collateral to the intermediate devices. Overall, it's a pretty silly approach to attack an authoritative server, certainly post November-2015.  However, there is no doubt caching resolvers, proxies, and even load balancers in the middle are squashed by the ExploderBot actor specifically. Caches are overrun. We cite an excellent example of the broad damage by Kyushu Telecom in our references ("Water Torture: A slow Drip DNS DDOS Attack on QTNet"). 


On 11/6/18, 9:19 PM, "Bill Woodcock" <woody at pch.net> wrote:

    > On Nov 6, 2018, at 5:55 PM, Warren Kumari <warren at kumari.net> wrote:
    > I'm somewhat surprised that this document makes no mention of DNSSEC /  RFC8198 "Aggressive Use of DNSSEC-Validated Cache”.
    That is, indeed, an excellent way to isolate attack traffic from authoritatives.

More information about the dns-operations mailing list