DNS Amplification Attacks... and a trivial proposal

Vernon Schryver vjs at rhyolite.com
Fri Jun 14 01:26:30 UTC 2013

> From: "John Levine" <johnl at iecc.com>

> The real solution is BCP 38, to keep spoofed packets out of the
> network in the first place. 

Indeed.   As many have mentioned, DNS reflection attacks are merely
the current fad, driven partly by 10X or higher amplification
(<50 byte queries, >500 byte responses) and partly by the lemming
syndrome of any fad.

There are have been, are, and will be many other protocols used 
in reflection attacks until BCP 38 is the de facto standard.
Smurf was an old example
See also ntp  https://www.google.com/search?q=ntp+reflection+attack
Chargen is another one from the ancient suite of of the small services
that is reportedly popular again.
See also NTP, timed, and others.

The standard reaction to a list like that from experts who invent
Final Ultimate Solutions to the Spam Problem is incoherent nonsense
about TCP and/or authentication.  They neither know nor care TCP has
long been and still is a very popular in reflection DoS attacks.

Vernon Schryver    vjs at rhyolite.com

More information about the bind-users mailing list