[dns-operations] Sierra Leone (.sl) TLD
Damian Menscher
damian at google.com
Fri Feb 28 00:00:22 UTC 2025
On Sun, Feb 23, 2025 at 4:38 AM Meir Kraushar via dns-operations <
dns-operations at dns-oarc.net> wrote:
> The .sl ccTLD (Sierra Leone) is being used as an amplifier for reflection
> attacks.
> It looks like the domain is horribly misconfigured:
>
> As a result,
> The reply size of "dig sl any" is 5814 (!)
> Again, this is being used as an amplifier for reflection attacks (victims
> referred to us for help).
> If anyone knows someone there who can fix this?
>
Focusing on specific records, domains, DNS servers, or even the DNS
protocol itself will not solve your problem. There are a dozen different
protocols which are abused for UDP amplification.
The only viable solution, as explained in my 2019 NANOG talk "Practical
Solutions for Amplification Attacks", is to stop the spoofed packets at the
source networks that emit them. Spoofing is fairly straightforward to
trace, and several people in the operational community are doing it, but
it's often challenging to explain to network engineers why they should care
about outbound abuse... especially in cases where their companies are
profiting from that abuse.
So, if you want to solve this, push hard on your network team to learn to
trace spoofing. Feel free to contact me for tips (though unless your
network has a global presence you probably need to ask your upstream to do
it).
Damian
--
Damian Menscher :: Security Reliability Engineer :: Google :: AS15169
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250227/45c3461c/attachment.html>
More information about the dns-operations
mailing list