Home page logo

nanog logo nanog mailing list archives

Re: DNS Amplification attack?
From: Stuart Henderson <stu () spacehopper org>
Date: Wed, 21 Jan 2009 11:43:05 +0000 (UTC)

On 2009-01-21, Kameron Gasso <kgasso-lists () visp net> wrote:
Christopher Morrow wrote:
a point to bear in mind here is that... 'its working' is good enough
for the bad folks :( no need to optimize when this works. Also, it's
likely this isn't all of the problem the spoofed requestors are seeing
these past few days :(

Unfortunately, I can't restrict traffic to/from my authoritative
nameservers like I can with my recursive ones, since it will break DNS
resolution for outside visitors to domains we host.

Fortunately, the spoofed queries are 60 bytes and my REFUSED responses
are only 59, so it's a terribly inefficient way to DoS someone.
However, I never said that the DDoS kiddies were smart - doesn't seem to
be stopping them from trying. :(


For you, yes.

In many cases, there's either no amplification or a small decrease
in traffic (though it makes it hard to shut off the true source).

In a few cases (e.g. tinydns), there's no response, so the attackers
traffic is wasted.

But what about the people that happen to have misconfigured their
authoritative DNS servers so that they're answering recursive queries
from the world? 60 -> 520 bytes isn't bad, and I bet it's not _that_

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]