DNS Amplification Attacks... and a trivial proposal
Vernon Schryver
vjs at rhyolite.com
Fri Jun 14 01:26:30 UTC 2013
> From: "John Levine" <johnl at iecc.com>
> The real solution is BCP 38, to keep spoofed packets out of the
> network in the first place.
Indeed. As many have mentioned, DNS reflection attacks are merely
the current fad, driven partly by 10X or higher amplification
(<50 byte queries, >500 byte responses) and partly by the lemming
syndrome of any fad.
There are have been, are, and will be many other protocols used
in reflection attacks until BCP 38 is the de facto standard.
Smurf was an old example
https://www.google.com/search?q=smurf+reflection+attack
See also ntp https://www.google.com/search?q=ntp+reflection+attack
Chargen is another one from the ancient suite of of the small services
https://www.google.com/search?q=small+udp+service+reflection+attack
that is reportedly popular again.
https://www.google.com/search?q=chargen+attack&tbs=qdr:m
See also NTP, timed, and others.
The standard reaction to a list like that from experts who invent
Final Ultimate Solutions to the Spam Problem is incoherent nonsense
about TCP and/or authentication. They neither know nor care TCP has
long been and still is a very popular in reflection DoS attacks.
https://www.google.com/search?q=tcp+syn+attack
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list