Preventing a particular type of nameserver abuse

at lbutlr at lbutlr
Thu Apr 15 01:35:40 UTC 2021

On 14 Apr 2021, at 01:48, Anand Buddhdev <anandb at> wrote:
> This is a short-sighted opinion. If just one authoritative server sends
> out REFUSED responses towards an innocent, it won't matter. But if 1000
> authoritative servers all send out REFUSED responses towards an innocent
> IP address, their combined volume and packet rate *is* significant.

Is it?

How big is a REFUSED response?

Even if it is 100 bytes (and I think it is not that large, but I cannot find it), 1000 refused would be 100K.

How many thoudanss of servers do you need in this "DDoS" to overwhelm a pretty average connection? (My home connection is only 200Mbps down).

Granted, a million machines would be generating a 100MB of data, which is insignificantes, but the number of pockets at that scale would probably be an issue. But is a million servers realistic?

I don't think calling this a DDoS is accurate. It is more likely;y there is a known exploit for some servers and they are probing or it is some script kiddie just blasting out packets hoping to get lucky.

"Are you pondering what I'm pondering?"
"I think so, Mr. Brain, but if the sun'll come out tomorrow, what's
	it doing right now?"

More information about the bind-users mailing list