Re: DNS requests from 209.67.50.203

["Bora Akyol" <akyol () akyol org>]

I am still curious as to why *this* attack would even exist (seeing that it
uses a spoofed source IP address) if people were filtering traffic that were
originationg from their networks properly.

I thought we discussed this already last month on the list.

Bora

----- Original Message -----
From: "Vern Paxson" <vern () ee lbl gov>
To: "Jared Mauch" <jared () puck Nether net>
Cc: "Steven M. Bellovin" <smb () research att com>;
<jtk () aharp is-net depaul edu>; <nanog () merit edu>
Sent: Tuesday, January 09, 2001 6:45 PM
Subject: Re: DNS requests from 209.67.50.203


> > A good way to reduce this is to turn off recursion for
> > people not on your network for your dns server.  This is fairly easy
> > to do with bind8/bind9.
>
> The attack isn't via recursive lookups (though recursion could help
augment
> the attack).  The reflection is in terms of the DNS reply to the purported
> requestor (really the victim).  At lbl.gov, none of the requests result in
> further lookups from our nameserver.  But the victim still receives the
reply
> stream, which from a combined large number of name servers is very large.
>
> See my draft paper
>
> ftp://ftp.ee.lbl.gov/.vp-reflectors.txt
>
> for a discussion of reflector attacks.
>
> Vern