DNS Amplification Attacks... and a trivial proposal
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Jun 14 01:57:23 UTC 2013
In message <51BA355B.10707 at dougbarton.us>,
Doug Barton <dougb at dougbarton.us> wrote:
>No. You can still get pretty good amplification with 512 byte responses.
That is an interesting contention. Is there any evidence of, or even any
reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
using strictly 512 byte packets?
If that's actually a real problem, then I am forced to assume that there
must have been numerous reliable reports of successful and devastating
DNS reflection DDoS attacks which pre-dated the widespread adoption of
EDNS0. I am not sure where or how I would be able to unearth archived
but contemporaneous news accounts of such incidents, so if you could
send me some links to archived copies of a few such pre-EDNS0 DDoS
reports, I sure would appreciate it.
>There is no quick fix.
I will settle for a slow one.
All I am asking of the Internet community is that we at least *begin* the
process of implmenting something that will really solve the problem once
and for all... including even the part of the problems that can arise from
non-open DNS servers.
I am not persuaded that we have even really begun in ernest a process that
is likely to lead to that result. Almost everybody, even 13 years later,
is still hoping for, and praying for, some utterly cost-free and pain-free
solution to drop down out of the sky like mana from heaven.
My question is really a simple one: Where are the adults? This problem
has gone on long enough.
Regards,
rfg
More information about the bind-users
mailing list