DNS Amplification Attacks
fw at deneb.enyo.de
Wed Mar 22 20:34:39 UTC 2006
* Peter Dambier:
>> This is not true. There has been some questionable advice by a
>> regulatory body, though. Most damage is done by ISPs which simply do
>> not adjust the filters to the moving target and run them as-is since
>> 2001 or so. Null routes tend to filter a different customer after
>> such a long time.
> Here it is documented. Sorry it is in german only:
Yeah, sure, but your summary is misleading (convenient it's "german
only", is it?). The actual damage was done by ISPs, that body only
gave questionable advice. Afterwards, most ISPs simply didn't care,
in the sense that they didn't maintain the filters.
> Several sites where censored and could only escape by changeing
It's more interesting if you can't do this. A null route on a router
in Frankfurt sometimes does wonders. It's also fairly effective to
null-route what is logically a downstream customer, even if it's
outside your network (by a few AS hops) and somewhere in Asia.
Such things happen all the time, and not just for DDoS prevention
purposes or malware containment. Some of the filters are clearly
targeted at specific content which is deemed unsuitable for
consumption by Germans. Such cases are not well-publicized. Often,
you can't tell them from genuine routing problems (and if you've got
insider information, you typically can't publish). I don't think this
is just a German or Chinese problem, by the way.
> Nevertheless I could see the site "http://www.enyo/"
> after adding "184.108.40.206 www.enyo enyo" to my /etc/hosts
> Maybe even could send you emails?
No, because I don't actually use ENYO. 8->
More information about the NANOG