[dns-operations] Slow Drip DDOS Attack

Renee Burton rburton at infoblox.com
Wed Nov 7 12:28:41 UTC 2018 

Message: 3
Date: Tue, 6 Nov 2018 23:53:59 -0500
From: Dave Lawrence <tale at dd.org>
To: <dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] Slow Drip DDOS Attack Research
Message-ID: <23522.28647.281689.894253 at gro.dd.org>
Content-Type: text/plain; charset=us-ascii

Personally I've never been a fan of the "Slow Drip" moniker as from
the point of view of overwhelming an authority it is not at all really
like water torture.  Computers don't give a whit about the sort of
thing that is supposed to induce madness in human beings, and would
quite happily just absorb a "slow drip".  It's clearly not slow for
the target.

>> We agree. We debated long and hard about which name to use. In the end, we
decided to use the dominant terminology, even though it isn't what we'd have 
chosen from a clean slate. I understand your criticism of that choice; it was a call. 

There's an assertion made that "It utilizes client IP spoofing to a
degree not seen in other attacks" which kind of surprises me.  Given
that other DDoS attacks quite commonly use spoofing, I'm wondering how
"a degree not seen in other attacks" was quantified.

>> We do elaborate on the methodologies for these conclusions in the Attack Generators
section.  Ultimately, this conclusion is the result of spending thousands of hours analyzing 
pDNS and ICMP,  of all sorts, not just this actor, and a ton of statistical analysis.  Counter 
examples welcome.

" The distribution of IP spoofing observed is inconsistent with requests originating from consumer endpoints. While IP spoofing is regularly used in large-scale botnet DDOS attacks, the spoofing capability available at any one compromised device varies widely. Because of the widespread adoption of RFC 2827, spoofing in well-managed networks is prohibited and in most others limited to forging of addresses within the source’s true network block, or within adjacent network blocks. Additionally, routers and other NAT (network address translation) devices may replace the source IP address within a packet, thwarting spoofing. While there are rogue and poorly managed service providers globally which allow widespread, non-adjacent, spoofing, these networks are limited. The combination of all these factors creates a distinct texture in the client IP distribution of IP spoofing attacks."

More information about the dns-operations mailing list