[54436] in North American Network Operators' Group
Re: DDos syn attack
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon Dec 30 13:07:21 2002
Date: Mon, 30 Dec 2002 18:06:46 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Randy Bush <randy@psg.com>
Cc: "Christopher L. Morrow" <chris@UU.NET>, <nanog@merit.edu>
In-Reply-To: <E18T2Td-000Aqz-00@roam.psg.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 30 Dec 2002, Randy Bush wrote:
> > This is also a very viable solution, provided the customer has
> > provisioned for this with lower ttls on their DNS records, which
> > ALOT of people (thankfully) don't do
>
> actually, a bunch of research now shows that low ttls on A RRs
> (that are not the A RRs of NS RRs) has little effect.
>
> in the case a dns lookup is being done in a ddos, of course one
> would prefer if the attacking zombies cached the lookup <grin>.
wouldn't dns lookups be a bit time consuming and introduce a dos on the
dos ?? if you had to look up each time you crafted a packet it'd take alot
more effort to pound out 100kpps, no? Most of the flooders I've seen (I'm
no programmer so I may be wrong on this) actually do a lookup to ip for
the dest and just start making packets, never rechecking the name->ip
mapping once its done the first time.
On the other hand, writing something for 100,000 codered clients to use is
another story, if you have 100,000 hosts you can afford a dns lookup :)
though most of them just do: ping -t www.psg.com 65000
or some msdos flavor of this... (I don't actually know the right flags for
dos's ping program :( )
>
> randy
>
