|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-ID: <010101c07b88$64e594b0$0500000a@DL100779> From: "Bora Akyol" <akyol@akyol.org> To: "Vern Paxson" <vern@ee.lbl.gov> Cc: <nanog@merit.edu> Date: Wed, 10 Jan 2001 20:38:11 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Errors-To: owner-nanog-outgoing@merit.edu I am still curious as to why *this* attack would even exist (seeing that it uses a spoofed source IP address) if people were filtering traffic that were originationg from their networks properly. I thought we discussed this already last month on the list. Bora ----- Original Message ----- From: "Vern Paxson" <vern@ee.lbl.gov> To: "Jared Mauch" <jared@puck.Nether.net> Cc: "Steven M. Bellovin" <smb@research.att.com>; <jtk@aharp.is-net.depaul.edu>; <nanog@merit.edu> Sent: Tuesday, January 09, 2001 6:45 PM Subject: Re: DNS requests from 209.67.50.203 > > > A good way to reduce this is to turn off recursion for > > people not on your network for your dns server. This is fairly easy > > to do with bind8/bind9. > > The attack isn't via recursive lookups (though recursion could help augment > the attack). The reflection is in terms of the DNS reply to the purported > requestor (really the victim). At lbl.gov, none of the requests result in > further lookups from our nameserver. But the victim still receives the reply > stream, which from a combined large number of name servers is very large. > > See my draft paper > > ftp://ftp.ee.lbl.gov/.vp-reflectors.txt > > for a discussion of reflector attacks. > > Vern >
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |