DNS Amplification Attacks... and a trivial proposal
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Jun 14 00:51:23 UTC 2013
In message <51B9FB6A.1090701 at tiggee.com>,
David Miller <dmiller at tiggee.com> wrote:
>A system that requires the victim to take action to stop attacks...
You mean like the defacto "system" we have right now?
>... might be misconstrued by some to be abdicating the responsibility
>of the upper four levels.
Ummm... I don't quite know how to break this to you, but...
>Agreed. Close all open resolvers as well.
I may be alone, but I am not persuaded that that even entirely solves
the problem. (And I'm not sure that vigorous community efforts to
close all open resolvers aren't perhaps a tad bit misguided, even if
still good and beneficial.)
If Joe is authoritative for a zone `Z' which happens to have, oh, say, 4000
bytes worth of crap in its ANY responses (counting all the DNSSEC and SPF
cruft) and if I spoof an ANY request to Joe for Z with your IP address on
it, what's gonna happen to you?
Multiply this by millions of Joes and millions of zones which have been
fluffed up with either DNSSEC and/or fat SPF TXT records and I don't need
there to be a single "open" resolver on the Internet in order to kill
you deader than a doornail.
Regards,
rfg
More information about the bind-users
mailing list