[169228] in North American Network Operators' Group
Re: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Joe Maimon)
Wed Feb 19 01:11:57 2014
Date: Wed, 19 Feb 2014 01:11:28 -0500
From: Joe Maimon <jmaimon@ttec.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>,
North American Networking and Offtopic Gripes List <nanog@nanog.org>
In-Reply-To: <AD740223-E643-49F0-8A30-770476CECE94@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dobbins, Roland wrote:
>
> On Feb 19, 2014, at 12:48 PM, Joe Maimon <jmaimon@ttec.com> wrote:
>
>> What I cant figure out is what is the target and how this attack method is any more effective then the others.
>
> The target appears to be the authoritative servers for the domain in question, yes?
I dont think so, but I have not compiled the full list of domains and
compared the auth servers for each.
>
> The attacker may consider it more effective because it provides a degree of obfuscation, or maybe he has some reason to game the operators of the authoritative servers in question into denying requests from your recursors.
>
> Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and they tend to copycat one another and do the same things due to magical thinking.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
>
>
>
