nanog mailing list archives
Re: Mitigating DNS amplification attacks
From: Jeff Wheeler <jsw () inconcepts biz>
Date: Wed, 1 May 2013 06:42:32 -0400
On Tue, Apr 30, 2013 at 8:35 PM, Jared Mauch <jared () puck nether net> wrote:
Please provide advice and insights as well as directing customers to the openresolverproject.org website. We want to close these down, if you need an accurate list of IPs in your ASN, please email me and I can give you very accurate data.
I think that a public list of open-resolvers is probably overdue, and the only way to get them fixed. It is trivial to scan the entire IPv4 address space for DNS servers that do no throttling even without the resources of a malicious botnet. Smurf was only "fixed" because, as there were fewer networks not running `no ip directed-broadcast,` the remaining amplification sources were flooded with huge amounts of malicious traffic. The public list of smurf amplifiers turned out to be the only way to really deal with it. I predict the same will be true with DNS. -- Jeff S Wheeler <jsw () inconcepts biz> Sr Network Operator / Innovative Network Concepts
Current thread:
- Re: Mitigating DNS amplification attacks Dobbins, Roland (Apr 30)
- Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
- Re: Mitigating DNS amplification attacks Damian Menscher (Apr 30)
- Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
- Re: Mitigating DNS amplification attacks Dobbins, Roland (Apr 30)
- Re: Mitigating DNS amplification attacks Damian Menscher (Apr 30)
- Re: Mitigating DNS amplification attacks Doug Barton (May 01)
- Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
- <Possible follow-ups>
- Re: Mitigating DNS amplification attacks Jared Mauch (Apr 30)
- Re: Mitigating DNS amplification attacks Jeff Wheeler (May 01)
- Re: Mitigating DNS amplification attacks Dobbins, Roland (May 01)
- Re: Mitigating DNS amplification attacks Alain Hebert (May 01)
- Re: Mitigating DNS amplification attacks Jeff Wheeler (May 01)