nanog mailing list archives

Re: DNS Amplification Attacks

From: Paul Vixie <vixie () vix com>
Date: 20 Mar 2006 22:17:32 +0000

Attacks such as this one have been happening for a long time now, non of 
us should be surprised. Two new things in the *recent* attacks are:

1. Wide exploitation in the wild, which draws attention.


that the press has been told about it this time, is new.  the scope of the
attack, either in breadth or intensity, is not new in these recent attacks.

2. Abusing EDNS for a larger amplification factor.


the use of EDNS is not new in these recent attacks, either.

The reason we released the text at this time (before we were ready, we 
were planning on making it academic-worthy) is that because of the lack 
of actual data out there and increasing FUD, we were encouraged to do so 
for the community.


any blame-putting on DNS or EDNS that fails to also mention amplification
that's possible via NTP or the fact that refector attacks based on ICMP are
still common and practical even without smurf amplification, is itself FUD.

That is why in the paper we cover events that happened to ISP's rather 
than just theoretical case studies.


in the paper i reviewed, the practical case studies were useful.  
-- 
Paul Vixie

Current thread:

Re: Network graphics tools, (continued)
- - - Re: Network graphics tools Bill Woodcock (Mar 21)
    - Re: Network graphics tools Mark Rogaski (Mar 21)
    - Re: Network graphics tools Mark Foster (Mar 21)
    - Re: Network graphics tools Gary E. Miller (Mar 21)
    - Re: Network graphics tools Michael . Dillon (Mar 22)
    - Re: Network graphics tools Andrew Burnette (Mar 21)
    - Re: Network graphics tools neal rauhauser (Mar 21)
    - Re: Network graphics tools Owen DeLong (Mar 22)
    - Re: Network graphics tools Mark Smith (Mar 22)
    - Re: Network graphics tools Steven M. Bellovin (Mar 22)
    - Re: DNS Amplification Attacks Paul Vixie (Mar 20)
  - Re: DNS Amplification Attacks Wayne E. Bouchard (Mar 20)