[dns-operations] Slow Drip DDOS Attack Research
Renee Burton
rburton at infoblox.com
Wed Nov 7 11:25:43 UTC 2018
Bill,
Thanks, too, for the comment. As the literature over the last four years show -- plus lots of messages on this forum -- the real damage is collateral to the intermediate devices. Overall, it's a pretty silly approach to attack an authoritative server, certainly post November-2015. However, there is no doubt caching resolvers, proxies, and even load balancers in the middle are squashed by the ExploderBot actor specifically. Caches are overrun. We cite an excellent example of the broad damage by Kyushu Telecom in our references ("Water Torture: A slow Drip DNS DDOS Attack on QTNet").
Renée
On 11/6/18, 9:19 PM, "Bill Woodcock" <woody at pch.net> wrote:
> On Nov 6, 2018, at 5:55 PM, Warren Kumari <warren at kumari.net> wrote:
>
> I'm somewhat surprised that this document makes no mention of DNSSEC / RFC8198 "Aggressive Use of DNSSEC-Validated Cache”.
That is, indeed, an excellent way to isolate attack traffic from authoritatives.
-Bill
More information about the dns-operations
mailing list