DNS Amplification Attacks

Paul Vixie vixie at vix.com
Mon Mar 20 22:17:32 UTC 2006

> Attacks such as this one have been happening for a long time now, non of 
> us should be surprised. Two new things in the *recent* attacks are:
> 1. Wide exploitation in the wild, which draws attention.

that the press has been told about it this time, is new.  the scope of the
attack, either in breadth or intensity, is not new in these recent attacks.

> 2. Abusing EDNS for a larger amplification factor.

the use of EDNS is not new in these recent attacks, either.

> The reason we released the text at this time (before we were ready, we 
> were planning on making it academic-worthy) is that because of the lack 
> of actual data out there and increasing FUD, we were encouraged to do so 
> for the community.

any blame-putting on DNS or EDNS that fails to also mention amplification
that's possible via NTP or the fact that refector attacks based on ICMP are
still common and practical even without smurf amplification, is itself FUD.

> That is why in the paper we cover events that happened to ISP's rather 
> than just theoretical case studies.

in the paper i reviewed, the practical case studies were useful.  
Paul Vixie

More information about the NANOG mailing list