[dns-operations] Slow Drip DDOS Attack Research

Dobbins, Roland Roland.Dobbins at netscout.com
Wed Nov 7 18:28:51 UTC 2018

On 8 Nov 2018, at 0:58, Paul Vixie wrote:

> i also question whether open resolvers are truly nec'y for this 
> attack.

Correct — the majority of DNS label-prepending & label-substitution 
attacks we see are reflected through non-open DNS recursors.

Also, these attacks have been observed in the wild since at least 2009, 
not 2014 or 2015.  Many of these attacks (most of them, IMHO) are in 
fact generated by IoT-based botnets residing on consumer broadband 
access networks.  And many of these attacks do not in fact make use of 
spoofed queries.

The collateral impact footprint of these attacks on under-resourced and 
poorly-defended recursive DNS farms, and the negative effects this has 
on end-users of those recursors, is significant.

This is a good and informative paper; however, this attack methodology 
is a bit more commonplace and used against a broader set of targets than 
may be apparent at first blush.  And the collateral-damage issue on 
broadband access networks is important to understand.

Roland Dobbins <roland.dobbins at netscout.com>

More information about the dns-operations mailing list