DNS Amplification Attacks

Geo. geoincidents at nls.net
Mon Mar 20 21:28:35 UTC 2006

> Recursion the way it is set now with most DNS implementations, is the
> problem being exploited by spoofing. It is true spoofing is bad for our
> health, but that does not mean we should ignore what actually gets
> exploited, which is recursive name servers open to the world.
> Fixing the one does not mean we shouldn't fix the other.

But fixing recursion also fixes the internet (fixes as in how you fix a dog)
in that he who controls the DNS controls the net. Fixing DNS is going to
hand over strict control to governments because now they can prevent you
from resolving anything they don't want you to resolve.

It also severely cuts into redundancy functions on the net.

I realize even if we eliminate spoofing completely, dns can still be used to
flood, but so can any other shared function on the net. We closed relay but
I can still flood you with emails by doing a joe-job is a good example.

At some point we really need to look at this and ask ourselves is it worth
what we must give up in order to eliminate some attack vector and isn't
there a better way that doesn't involve us giving up so much. I think in
this case the answer is maybe there is a better way, eliminate spoofing or
eliminate udp use in recursive dns queries are valid options.

So in answer to the last part of the above quote, maybe we shouldn't fix the
other. (just something to consider)

George Roettger
Netlink Services

More information about the NANOG mailing list