[111070] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (Chris Adams)
Tue Jan 27 23:19:57 2009
Date: Tue, 27 Jan 2009 22:19:40 -0600
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@merit.edu
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@merit.edu
In-Reply-To: <7EA9625D-2678-496E-BD7E-76F02E40C6E4@cs.cmu.edu>
Errors-To: nanog-bounces@nanog.org
Once upon a time, David Andersen <dga@cs.cmu.edu> said:
> Actually, ". IN NS" is a particularly useful thing for them to do,
> because it's an almost globally guaranteed response that will get a
> large response and be in cache.
That's only true on servers that aren't well-configured.
> "<tld>. IN NS", of course, but the set of things that work well for
> such an attack are relatively limited.
Try "aol.com. MX", "hotmail.com. MX", any domain with a big SPF TXT
record, etc. There's nothing really special about ". NS". If somebody
is serving cached data to the world (even if they aren't recursing for
the world), there are any number of things that are likely in the cache.
And, since most people have SMTP servers, it is often easy to "prime"
somebody's cache, since the SMTP servers often use the same DNS servers.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
