|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-Id: <200101100245.f0A2jjX14016@daffy.ee.lbl.gov> To: Jared Mauch <jared@puck.Nether.net> Cc: "Steven M. Bellovin" <smb@research.att.com>, jtk@aharp.is-net.depaul.edu, nanog@merit.edu In-reply-to: Your message of Tue, 09 Jan 2001 20:32:55 PST. Date: Tue, 09 Jan 2001 18:45:45 PST From: Vern Paxson <vern@ee.lbl.gov> Errors-To: owner-nanog-outgoing@merit.edu > A good way to reduce this is to turn off recursion for > people not on your network for your dns server. This is fairly easy > to do with bind8/bind9. The attack isn't via recursive lookups (though recursion could help augment the attack). The reflection is in terms of the DNS reply to the purported requestor (really the victim). At lbl.gov, none of the requests result in further lookups from our nameserver. But the victim still receives the reply stream, which from a combined large number of name servers is very large. See my draft paper ftp://ftp.ee.lbl.gov/.vp-reflectors.txt for a discussion of reflector attacks. Vern
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |