DNS Amplification Attacks
Joseph S D Yao
jsdy at center.osis.gov
Fri Mar 24 20:43:59 UTC 2006
On Thu, Mar 23, 2006 at 02:07:36PM +0100, Peter Dambier wrote:
> Please dont take ICANN censoring "XN--55QX5D.", "XN--FIQS8S." and
> "XN--IO0A7I." serious. Ment as a joke. Did not make it. Sorry!
I see. Thanks for the info.
My observation of human senses of humor is that humor is a mutual
rejection of information that shared experience says is not credible in
the shared frame of reality. Jokes that tend not to be understood tend
to be because the recipient of the joke does not share sufficient frame
of reality with the transmitter to ascertain that this is in fact
believed by both to be contrary to that frame of reality.
Or maybe that's just my own warped way of seeing it. But, no, I'm sorry
but I didn't realize it was a joke. ;-)
> Joseph S D Yao wrote:
> >"You keep using that word. I do not think it means what you think it
This was a quote from the movie, "The Princess Bride", which a number of
people - some of whom surprise me by this - seem to like to quote a lot.
> My dictionary says censor is from latin. A magistrate, lets call him a
> polititian like
Quite apt. This is exactly right. He removed things that were, shall
we say, difficult to reconcile with the official Roman reality. Too
many people still try to do this.
> Sorry I have this guy only in german.
> This guy odered some local ISPs to making sites unavailable mostly by
> forging DNS entries kept in their local resolvers. I was told by
> peoply unvolontarily working for him that more than 6000 sites were
> involved. Quite a lot of them collateral damage.
> The latin version says this guy is taking things out of books so the
> ordinary roman was not annoyed by distateful things. I guess you see
> the irony.
In reference to the German politician, it is more than irony, it fits.
In reference to ICANN, not so good a fit. It was to that, that I had
> B?ssow ment to keep journalists from seeing sites in the USA and
> Canada that would be prosecuted in Germany.
> His helpers felt invited to do a lot more good and played some
> tricks on their "friends". In Germany we do not pick a leave from a
> tree. We cut the tree and dig out the root.
;-] That trait has been observed by other national observers, yes,
although I don't think I've seen that fine analogy before.
> If you have to live with a resolver that is answering as slowly as
> this one
> ; <<>> DiG 9.1.3 <<>> www.peter-dambier.de @www-proxy.UL1.srv.t-online.de
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;www.peter-dambier.de. IN A
> ;; ANSWER SECTION:
> www.peter-dambier.de. 6000 IN A 18.104.22.168
> ;; Query time: 2118 msec
> ;; SERVER: 22.214.171.124#53(www-proxy.UL1.srv.t-online.de)
> ;; WHEN: Thu Mar 23 13:59:57 2006
> ;; MSG SIZE rcvd: 54
> my local ISP, then you feel tempted to use a foraign resolver. So
> for me running my own independent resolver was a must.
Considering how often DNS is called in the background for many simple
transactions, a 2.118-second lookup is unconscionable. I agree with
> But many of my colleages are not computerscience people. Many of the
> poor buggers are running some flavour of windows. For them it is life
> behind the big chinese firewall if they cannot find an open resolver.
> Please excuse if I overreact a bit on this matter.
Whatever our disagreements on other matters, on this one I am in full
sympathy with you. ;-) ;-(
This message is not an official statement of OSIS Center policies.
More information about the NANOG