[54441] in North American Network Operators' Group
Re: DDos syn attack
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon Dec 30 14:42:41 2002
Date: Mon, 30 Dec 2002 19:42:07 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Chris Wedgwood <cw@f00f.org>
Cc: Randy Bush <randy@psg.com>,
"Christopher L. Morrow" <chris@UU.NET>, <nanog@merit.edu>
In-Reply-To: <20021230185310.GA13089@tapu.f00f.org>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 30 Dec 2002, Chris Wedgwood wrote:
>
> On Mon, Dec 30, 2002 at 08:09:17AM -0800, Randy Bush wrote:
>
> > actually, a bunch of research now shows that low ttls on A RRs (that
> > are not the A RRs of NS RRs) has little effect.
>
> maybe this could help find the attacking nwtwork? assuming people are
> using local DNS servers?
>
> under attack you could sporadically 'lie' about the result... and log
> to whom you lied to... all the time looking for changes in the DDoS
> target
>
> a fair amount work perhaps...
wow, break bind in a new and horrid way to accomplish this task :) Nice...
perhaps mr. vixie will add this functionality for us?
