nanog mailing list archives
Re: DNS Amplification attack?
From: Stuart Henderson <stu () spacehopper org>
Date: Wed, 21 Jan 2009 11:43:05 +0000 (UTC)
On 2009-01-21, Kameron Gasso <kgasso-lists () visp net> wrote:
Christopher Morrow wrote:a point to bear in mind here is that... 'its working' is good enough for the bad folks :( no need to optimize when this works. Also, it's likely this isn't all of the problem the spoofed requestors are seeing these past few days :(Unfortunately, I can't restrict traffic to/from my authoritative nameservers like I can with my recursive ones, since it will break DNS resolution for outside visitors to domains we host. Fortunately, the spoofed queries are 60 bytes and my REFUSED responses are only 59, so it's a terribly inefficient way to DoS someone. However, I never said that the DDoS kiddies were smart - doesn't seem to be stopping them from trying. :( Thanks,
For you, yes. In many cases, there's either no amplification or a small decrease in traffic (though it makes it hard to shut off the true source). In a few cases (e.g. tinydns), there's no response, so the attackers traffic is wasted. But what about the people that happen to have misconfigured their authoritative DNS servers so that they're answering recursive queries from the world? 60 -> 520 bytes isn't bad, and I bet it's not _that_ uncommon...
Current thread:
- DNS Amplification attack? Wil Schultz (Jan 20)
- Re: DNS Amplification attack? Raoul Bhatia [IPAX] (Jan 20)
- Re: DNS Amplification attack? David W. Hankins (Jan 20)
- Re: DNS Amplification attack? Mark Andrews (Jan 20)
- Re: DNS Amplification attack? David Coulthart (Jan 21)
- Re: DNS Amplification attack? Kameron Gasso (Jan 20)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- Re: DNS Amplification attack? Kameron Gasso (Jan 20)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)
- Re: DNS Amplification attack? Stuart Henderson (Jan 21)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- <Possible follow-ups>
- Re: DNS Amplification attack? jay (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)
- Re: DNS Amplification attack? jay (Jan 20)
- Re: DNS Amplification attack? Mark Andrews (Jan 20)
- Re: DNS Amplification attack? Crist Clark (Jan 21)
- Re: DNS Amplification attack? Chris Adams (Jan 21)
- Re: DNS Amplification attack? Mark Andrews (Jan 21)
- Re: DNS Amplification attack? Paul Vixie (Jan 21)
- Re: DNS Amplification attack? Florian Weimer (Jan 22)
- Re: DNS Amplification attack? Chris Adams (Jan 20)