Millions of './ANY/IN' queries denied

[Andrew P.]

Reindl Harald <h.reindl at thelounge.net> writes:
>Am 16.12.21 um 14:56 schrieb Andrew P.:
>> Reindl Harald <h.reindl at thelounge.net> writes:
>> Am 16.12.21 um 14:22 schrieb Andrew P.:
>>>> You don't understand what kind of blacklist I want; I want to blacklist the domain name
>>>> being asked for, so I don't answer for it. I'm not looking to blacklist forged IP addresses
>>>> of requestors (since we all know criminals don't use their own identities; they use the
>>>> identities of innocent bystanders).
>>>>
>>>> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not a rootserver, and never will be.
>>>
>>> AGAIN: you don't gain anything by not responding on a UDP protocol
>>> because the client can't distinct no response and packet loss
>>
>> AGAIN, the criminal DDoS attacker who's creating these forged requests isn't looking for replies to themselves
>
>but a legit client does while these attacks aren't successful at all

And you still haven't told me who would be a legitimate client making that request for the
root domain from my nameserver. Frankly, I can't think of _anyone_ who should be making
that request of my nameserver.

Sure, it's a legitimate request to make of someone's first-hop ISP-provided caching-only nameserver, or of
a root nameserver. But not against _my_ nameserver. Or are you claiming there is DNS spoofing out
there identifying legitimate name servers as authoritative for domains they are not actually
authoritative for? Seems like a rather useless form of DNS spoofing, when such attackers could
more usefully (to them) direct victims to nameservers under the attacker's control.

>> they're looking to abuse some poor victim. And the victim can't make the attacker shut up
>
>this attacker must be pretty dumb then because the ANY request makes
>only sense if it get answered and the response is magnitudes larger then
>the request

Not if the attacker has a huge bot-net to make the requests. He doesn't care how much of
the bots' network capacity is used up, since the attacker isn't paying for it. And, based on the same
philosophy as spam, if they hit enough name servers, some of them will be insecure and provide the
full response, while even those who only send an error packet still need to have that packet
consumed at the victim.

>hence you need to send them to a server giving a full answer to the victim

No, not if you get enough error responses, it will still work. It just takes more.

>with just a error response he could send it's attack traffic directly
>given that the attacker needs the full bandwidth anyways and not using a
>valid DNS request, just blow out traffic to UDP 53

And why should the attacker give away the location of all his bots, when he
can get all these legitimate nameservers to take the blame?

>one couldn't care less about attackers which don't know what they are doing

I suspect they do know what they are doing, or they wouldn't be wasting their
time doing it.