Preventing a particular type of nameserver abuse

[at lbutlr]

On 14 Apr 2021, at 01:48, Anand Buddhdev <anandb at ripe.net> wrote:
> This is a short-sighted opinion. If just one authoritative server sends
> out REFUSED responses towards an innocent, it won't matter. But if 1000
> authoritative servers all send out REFUSED responses towards an innocent
> IP address, their combined volume and packet rate *is* significant.

Is it?

How big is a REFUSED response?

Even if it is 100 bytes (and I think it is not that large, but I cannot find it), 1000 refused would be 100K.

How many thoudanss of servers do you need in this "DDoS" to overwhelm a pretty average connection? (My home connection is only 200Mbps down).

Granted, a million machines would be generating a 100MB of data, which is insignificantes, but the number of pockets at that scale would probably be an issue. But is a million servers realistic?

I don't think calling this a DDoS is accurate. It is more likely;y there is a known exploit for some servers and they are probing or it is some script kiddie just blasting out packets hoping to get lucky.

-- 
"Are you pondering what I'm pondering?"
"I think so, Mr. Brain, but if the sun'll come out tomorrow, what's
	it doing right now?"