[161911] in North American Network Operators' Group
Re: So how big was it *really*?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Mar 28 09:49:57 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <515445A0.2070508@ip-solutions.net>
Date: Thu, 28 Mar 2013 09:41:37 -0400
To: Harry Hoffman <hhoffman@ip-solutions.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 28, 2013, at 9:29 AM, Harry Hoffman <hhoffman@ip-solutions.net> =
wrote:
> It's interesting, this just came up on gizmodo. As I said in another
> forum, take it for what it's worth:
>=20
> http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
I can't comment in detail, but there are some "lost in translation" =
moments with the reporting. =20
If you look at externally observable data, something surely happened at =
LINX on the 23rd:
https://stats.linx.net/cgi-pub/aggregate/week
I think it's easy to get fully into a doom-and-gloom scenario, but even =
if the numerical reporting is correct there wasn't a broad impact =
observed similar to slammer/blaster where everyone was congested.
I will say, please don't treat this as 100% hype and look at unicast-rpf =
and securing your DNS servers in parallel. That threat certainly is =
real. With 21,432,212 hosts that respond to dns queries (with the right =
answerl not including those that send a referral to root which is quite =
large), an amplification attack would be quite easy. It's somewhere =
around 1:173 hosts run a service that responds. That is real and =
clearly measurable.
your bind settings to look for are:
http://www.zytrax.com/books/dns/ch7/queries.html
additional-from-auth yes | no ;
additional-from-cache yes | no ;
- Jared=
