Millions of './ANY/IN' queries denied
Reindl Harald
h.reindl at thelounge.net
Thu Dec 16 14:07:21 UTC 2021
Am 16.12.21 um 14:56 schrieb Andrew P.:
> Reindl Harald <h.reindl at thelounge.net> writes:
> Am 16.12.21 um 14:22 schrieb Andrew P.:
>>> You don't understand what kind of blacklist I want; I want to blacklist the domain name
>>> being asked for, so I don't answer for it. I'm not looking to blacklist forged IP addresses
>>> of requestors (since we all know criminals don't use their own identities; they use the
>>> identities of innocent bystanders).
>>>
>>> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not a rootserver, and never will be.
>>
>> AGAIN: you don't gain anything by not responding on a UDP protocol
>> because the client can't distinct no response and packet loss
>
> AGAIN, the criminal DDoS attacker who's creating these forged requests isn't looking for replies to themselves
but a legit client does while these attacks aren't successful at all
> they're looking to abuse some poor victim. And the victim can't make the attacker shut up
this attacker must be pretty dumb then because the ANY request makes
only sense if it get answered and the response is magnitudes larger then
the request
hence you need to send them to a server giving a full answer to the victim
with just a error response he could send it's attack traffic directly
given that the attacker needs the full bandwidth anyways and not using a
valid DNS request, just blow out traffic to UDP 53
one couldn't care less about attackers which don't know what they are doing
More information about the bind-users
mailing list