nanog mailing list archives
Re: DDos syn attack
From: "Christopher L. Morrow" <chris () UU NET>
Date: Mon, 30 Dec 2002 18:06:46 +0000 (GMT)
On Mon, 30 Dec 2002, Randy Bush wrote:
This is also a very viable solution, provided the customer has provisioned for this with lower ttls on their DNS records, which ALOT of people (thankfully) don't doactually, a bunch of research now shows that low ttls on A RRs (that are not the A RRs of NS RRs) has little effect. in the case a dns lookup is being done in a ddos, of course one would prefer if the attacking zombies cached the lookup <grin>.
wouldn't dns lookups be a bit time consuming and introduce a dos on the dos ?? if you had to look up each time you crafted a packet it'd take alot more effort to pound out 100kpps, no? Most of the flooders I've seen (I'm no programmer so I may be wrong on this) actually do a lookup to ip for the dest and just start making packets, never rechecking the name->ip mapping once its done the first time. On the other hand, writing something for 100,000 codered clients to use is another story, if you have 100,000 hosts you can afford a dns lookup :) though most of them just do: ping -t www.psg.com 65000 or some msdos flavor of this... (I don't actually know the right flags for dos's ping program :( )
randy
Current thread:
- DDos syn attack Mike Hyde (Dec 30)
- Re: DDos syn attack Christopher L. Morrow (Dec 30)
- Re: DDos syn attack Randy Bush (Dec 30)
- Re: DDos syn attack Christopher L. Morrow (Dec 30)
- Re: DDos syn attack Andrew Dorsett (Dec 30)
- Re: DDos syn attack Randy Bush (Dec 30)
- Re: DDos syn attack Christopher L. Morrow (Dec 30)