<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sat, Sep 3, 2016 at 8:23 PM, Roland Dobbins <span dir="ltr"><<a href="mailto:rdobbins@arbor.net" target="_blank">rdobbins@arbor.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 4 Sep 2016, at 8:42, Damian Menscher wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
At that point the attacker could just hit the victim<br>
directly.<br>
</blockquote>
<br></span>
That's the whole point of reflection - to do so *indirectly*, heh.</blockquote><div><br></div><div>To what end? If they want to obfuscate the source IP, why not simply spoof the source IPs in a direct attack? I maintain that amplification is key -- reflection is just a means to an end. (Reflection potentially makes traceback slightly harder, but it's hard to imagine any attacker caring about that.)</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
RRL applied at authoritative servers doesn't accomplish anything -- all amplification attacks reflect off recursive resolvers, not authoritative<br>
servers.<br>
</blockquote>
<br></span>
Actually, quite a bit of DNS reflection/amplification is direct from the initiators to the reflectors/amplifiers (in this case, the authoritative servers). There are essentially two variants of DNS reflection/amplification - one involving a tier of open recursors, the other not utilizing them.<br>
<br>
RRL on the authoritatives being used helps in either scenario.<br></blockquote><div><br></div><div>No. Most attacks amplify off recursive resolvers, and those do a single authoritative lookup which they then cache for its TTL. RRL does nothing to help in this case.</div><div><br></div><div>I understand that RRL can help in the case of amplification directly off authoritative servers, but I've never seen an attacker do that (or perhaps just didn't notice).</div><div><br></div><div>Damian</div></div></div></div>