nanog mailing list archives

Re: DNS requests from 209.67.50.203

From: Vern Paxson <vern () ee lbl gov>
Date: Tue, 09 Jan 2001 18:45:45 PST

      A good way to reduce this is to turn off recursion for
people not on your network for your dns server.  This is fairly easy
to do with bind8/bind9.


The attack isn't via recursive lookups (though recursion could help augment
the attack).  The reflection is in terms of the DNS reply to the purported
requestor (really the victim).  At lbl.gov, none of the requests result in
further lookups from our nameserver.  But the victim still receives the reply
stream, which from a combined large number of name servers is very large.

See my draft paper

        ftp://ftp.ee.lbl.gov/.vp-reflectors.txt

for a discussion of reflector attacks.

                Vern

Current thread:

Re: DNS requests from 209.67.50.203 Steven M. Bellovin (Feb 24)
- Re: DNS requests from 209.67.50.203 Jared Mauch (Feb 24)
- <Possible follow-ups>
- Re: DNS requests from 209.67.50.203 Vern Paxson (Feb 24)
  - Re: DNS requests from 209.67.50.203 Bora Akyol (Feb 24)
- Re: DNS requests from 209.67.50.203 Matthew Zito (Feb 24)