|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS requests from 209.67.50.203
I am still curious as to why *this* attack would even exist (seeing that it uses a spoofed source IP address) if people were filtering traffic that were originationg from their networks properly. I thought we discussed this already last month on the list. Bora ----- Original Message ----- From: "Vern Paxson" <[email protected]> To: "Jared Mauch" <[email protected]> Cc: "Steven M. Bellovin" <[email protected]>; <[email protected]>; <[email protected]> Sent: Tuesday, January 09, 2001 6:45 PM Subject: Re: DNS requests from 209.67.50.203 > > > A good way to reduce this is to turn off recursion for > > people not on your network for your dns server. This is fairly easy > > to do with bind8/bind9. > > The attack isn't via recursive lookups (though recursion could help augment > the attack). The reflection is in terms of the DNS reply to the purported > requestor (really the victim). At lbl.gov, none of the requests result in > further lookups from our nameserver. But the victim still receives the reply > stream, which from a combined large number of name servers is very large. > > See my draft paper > > ftp://ftp.ee.lbl.gov/.vp-reflectors.txt > > for a discussion of reflector attacks. > > Vern >
|