DNS Amplification Attacks... and a trivial proposal

[John Levine]

>OK. I just want to be clear here, and make sure that I have properly
>understood what you have said.   Would it be correct, then, to say that
>at the present moment you are not actually able to produce, cite, or
>describe, with any particularity or specificity, even one individual
>specific incident in which 512 byte packets were used to perpetrate
>any individual, effective, and successful DDoS attack which actually
>resulted in some actual "service" being "denied", and that you are
>likewise unable to relate any specifics about any such purported attack
>which was in any other way worthy of note?

No.  In any reflector attack, the bad guys blast out the requests and
the reflectors send back what they send back.  Since there are still
plenty of DNS caches that don't do EDNS0, some of the traffic is big
packets, some is smaller.  The victims of the attacks for some reason
always have something more pressing to do than to collect detailed
statistics on the distribution of the incoming packets, so nobody
knows what fraction is what.

More to the point, I know you can do arithmetic.  The bad guys have
botnets of 100,000 hosts or more, and there are at least that many
open resolvers (think random networked printers and such) so a factor
of 4 in the amplification ratio isn't important.

When Doug said they were switching to chargen, he wasn't kidding.
There's an unlimited number of things on the net that will respond to
incoming packets.

R's,
John