[dns-operations] Slow Drip DDOS Attack Research
paul at redbarn.org
Wed Nov 7 17:58:55 UTC 2018
from page 2 of the PDF:
> The Slow Drip attack is designed to target an authoritative name
> server. In its simplest form, a large volume of DNS requests are sent
> to open resolvers requesting the resolution IP (the A 8 record) of
> random subdomains of a registered domain. The random hostnames, or
> domain prefixes, serve the purpose of ensuring that the queries are
> forwarded to the authoritative name servers through the global DNS.
> As the requests cascade into the authoritative name servers, they
> return NXDOMAIN (rcode=3) responses, but ultimately the servers are
this is why DNS Response Rate Limiting (DNS RRL) uses a smaller default
for negative limits than for positive ones. note, again, that the
defaults are carefully considered, and likely won't benefit from tuning.
i also question whether open resolvers are truly nec'y for this attack.
opendns and google do a lot of rate limiting and have 24x7 human
coverage to detect anomalies. i have to assume that IBM and CloudFlare
do the same, or else we'd have heard about other amplification attacks
through those open recursives before now.
More information about the dns-operations