DNS requests from 209.67.50.203

• Previous message (by thread): DNS requests from 209.67.50.203
• Next message (by thread): DNS requests from 209.67.50.203
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am still curious as to why *this* attack would even exist (seeing that it
uses a spoofed source IP address) if people were filtering traffic that were
originationg from their networks properly.

I thought we discussed this already last month on the list.

Bora

----- Original Message -----
From: "Vern Paxson" <vern at ee.lbl.gov>
To: "Jared Mauch" <jared at puck.Nether.net>
Cc: "Steven M. Bellovin" <smb at research.att.com>;
<jtk at aharp.is-net.depaul.edu>; <nanog at merit.edu>
Sent: Tuesday, January 09, 2001 6:45 PM
Subject: Re: DNS requests from 209.67.50.203


>
> > A good way to reduce this is to turn off recursion for
> > people not on your network for your dns server.  This is fairly easy
> > to do with bind8/bind9.
>
> The attack isn't via recursive lookups (though recursion could help
augment
> the attack).  The reflection is in terms of the DNS reply to the purported
> requestor (really the victim).  At lbl.gov, none of the requests result in
> further lookups from our nameserver.  But the victim still receives the
reply
> stream, which from a combined large number of name servers is very large.
>
> See my draft paper
>
> ftp://ftp.ee.lbl.gov/.vp-reflectors.txt
>
> for a discussion of reflector attacks.
>
> Vern
>

• Previous message (by thread): DNS requests from 209.67.50.203
• Next message (by thread): DNS requests from 209.67.50.203
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]