Basic Question re Security issue
Mark Andrews
Mark_Andrews at isc.org
Sun Jul 27 09:08:38 UTC 2008
>
> In message <606F1AD6-F86A-436B-972E-1F204C64464C at menandmice.com>,
> Chris Buxton <cbuxton at menandmice.com> wrote:
>
> >Yes. There is an attack based on DNS queries with forged source
> >addresses.
> >
> >{basic description of DNS amplification attack scenario snipped}
>
> Although "open" recursive servers are certainly the easiest way to
> obtain the kinds of amplification needed to make an attack of this
> type truly menacing, I have long wondered if that's really the only
> way to obtain serious amplification for such an attack.
>
> Wouldn't it perhaps be more accurate to say that _any_ DNS server
> that is willing and able to serve up _any_ responses (even ones for
> zones for which it is authoritative) which are significantly larger
> than the relevant queries could be exploited as amplifiers, and thus
> be used as part of such an attack?
>
Yes. Thats why we keep saying. Deploy BCP 38. Open
recursive servers are just a easy amplifier.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list