[151967] in North American Network Operators' Group
Re: DNS noise
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Fri Apr 6 14:06:52 2012
X-Envelope-To: nanog@nanog.org
Date: Fri, 06 Apr 2012 19:04:41 +0100
From: Nick Hilliard <nick@foobar.org>
To: Nathan Eisenberg <nathan@atlasnetworks.us>
In-Reply-To: <8C26A4FDAE599041A13EB499117D3C287CA17C7F@EX-MB-1.corp.atlasnetworks.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 06/04/2012 18:41, Nathan Eisenberg wrote:
> Anyone else seeing this sort of noise lately?
There has been a bit of that recently for ripe.net and several other well
known DNSSEC enabled domains (e.g. isc.org).
It turns out that DNSSEC makes a respectable traffic amplification vector:
> twinkie# dig +ignore +notcp any ripe.net | grep rcvd
> ;; MSG SIZE rcvd: 490
> twinkie#
The dns request packet size was 26 bytes. Add packet overhead to both the
request and the reply, and you end up with:
request: 26 (data) + 8 (udp) + 20 (ip) + 18 (ethernet frame) + ipg (12) + 8
(preamble) = 92
reply: 490 (data) + 8 (udp) + 20 (ip) + 18 (ethernet frame) + ipg (12) + 8
(preamble) = 556
=> amplification on ethernet medium == 556/92, or slightly more than 6x.
Welcome back to the 1990s.
Nick
