[dns-operations] Slow Drip DDOS Attack Research
Dobbins, Roland
Roland.Dobbins at netscout.com
Wed Nov 7 18:28:51 UTC 2018
On 8 Nov 2018, at 0:58, Paul Vixie wrote:
> i also question whether open resolvers are truly nec'y for this
> attack.
Correct — the majority of DNS label-prepending & label-substitution
attacks we see are reflected through non-open DNS recursors.
Also, these attacks have been observed in the wild since at least 2009,
not 2014 or 2015. Many of these attacks (most of them, IMHO) are in
fact generated by IoT-based botnets residing on consumer broadband
access networks. And many of these attacks do not in fact make use of
spoofed queries.
The collateral impact footprint of these attacks on under-resourced and
poorly-defended recursive DNS farms, and the negative effects this has
on end-users of those recursors, is significant.
This is a good and informative paper; however, this attack methodology
is a bit more commonplace and used against a broader set of targets than
may be apparent at first blush. And the collateral-damage issue on
broadband access networks is important to understand.
--------------------------------------------
Roland Dobbins <roland.dobbins at netscout.com>
More information about the dns-operations
mailing list