DNS Amplification Attacks... and a trivial proposal

John Levine johnl at iecc.com
Fri Jun 14 00:41:55 UTC 2013

>The entire problem is fundamentally a result of the introduction of EDNS0.
>Wwouldn't you agree?

No, that just makes it a little easier.  You pound the patoot out of
someone with 512 byte packets just as much as you can with 4K packets,
just by making your attacking botnet bigger.

The real solution is BCP 38, to keep spoofed packets out of the
network in the first place.  With widely implemented BCP 38, open
resolvers wouldn't matter since you could only DoS yourself, or at
worst someone else on your own network segment.


More information about the bind-users mailing list