DNS Amplification Attacks... and a trivial proposal

Sten Carlsen stenc at s-carlsen.dk
Fri Jun 14 01:18:12 UTC 2013


Just a thought, below:
On 14/06/13 2:41, Ronald F. Guilmette wrote:
> In message <51B9FB6A.1090701 at tiggee.com>,
> David Miller <dmiller at tiggee.com> wrote:
>
>> This could lead to wrong headed statements like, "Yes, we sent X GB of
>> traffic at your network.
> Yes.
>
> Last night I reconsidered at some length the scheme I put forward yesterday.
> (Please note that I am very deliberately calling it merely a "scheme"
> rather than a "proposal", because I do not think that it rises to the
> level of that honorable title yet.)
>
> Basically, please ignore everything I put forward yesterday and substitute
> instead the following in place of all that...
>
>     1)  A new DNS/UDP packet/message type is defined.  This new message
> 	when sent from from machine A to machine B informs B that A would
> 	really really appreciate it if B would cease and desist from sending
> 	anything other than HIGHLY ABBREVIATED (12 byte) UDP DNS response
> 	packets to the IP address of A for a period of 30 seconds.  (Said
> 	highly abbreviated DNS/UDP response packets would all have the TC
> 	bit set.)
>
> 	In a hypothetical revised future DNS RFC it would be said that all
> 	DNS servers attached to the public internet MUST be capable of
> 	properly receiving, decoding and obeying any and all such client
> 	requests.
>
I wonder what DNS-servers running older versions of the SW will respond
to that? If they silently discard the packet, no problem. If however
they respond with refused or anything else, you create your own storm.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
       "MALE BOVINE MANURE!!!"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130614/8c4be4b3/attachment.html>


More information about the bind-users mailing list