DNS Amplification Attacks... and a trivial proposal

Ronald F. Guilmette rfg at tristatelogic.com
Fri Jun 14 00:51:23 UTC 2013


In message <51B9FB6A.1090701 at tiggee.com>, 
David Miller <dmiller at tiggee.com> wrote:

>A system that requires the victim to take action to stop attacks...

You mean like the defacto "system" we have right now?

>... might be misconstrued by some to be abdicating the responsibility
>of the upper four levels.

Ummm... I don't quite know how to break this to you, but...

>Agreed.  Close all open resolvers as well.

I may be alone, but I am not persuaded that that even entirely solves
the problem.  (And I'm not sure that vigorous community efforts to
close all open resolvers aren't perhaps a tad bit misguided, even if
still good and beneficial.)

If Joe is authoritative for a zone `Z' which happens to have, oh, say, 4000
bytes worth of crap in its ANY responses (counting all the DNSSEC and SPF
cruft) and if I spoof an ANY request to Joe for Z with your IP address on
it, what's gonna happen to you?

Multiply this by millions of Joes and millions of zones which have been
fluffed up with either DNSSEC and/or fat SPF TXT records and I don't need
there to be a single "open" resolver on the Internet in order to kill
you deader than a doornail.


Regards,
rfg



More information about the bind-users mailing list