DNS Amplification Attacks

Joseph S D Yao jsdy at center.osis.gov
Fri Mar 24 20:43:59 UTC 2006

On Thu, Mar 23, 2006 at 02:07:36PM +0100, Peter Dambier wrote:
> Please dont take ICANN censoring "XN--55QX5D.", "XN--FIQS8S." and
> "XN--IO0A7I." serious. Ment as a joke. Did not make it. Sorry!

I see.  Thanks for the info.

My observation of human senses of humor is that humor is a mutual
rejection of information that shared experience says is not credible in
the shared frame of reality.  Jokes that tend not to be understood tend
to be because the recipient of the joke does not share sufficient frame
of reality with the transmitter to ascertain that this is in fact
believed by both to be contrary to that frame of reality.

Or maybe that's just my own warped way of seeing it.  But, no, I'm sorry
but I didn't realize it was a joke.  ;-)

> Joseph S D Yao wrote:
> >
> >"You keep using that word.  I do not think it means what you think it
> >means."

This was a quote from the movie, "The Princess Bride", which a number of
people - some of whom surprise me by this - seem to like to quote a lot.

> My dictionary says censor is from latin. A magistrate, lets call him a
> polititian like
> http://odem.org/akteure/juergen-buessow.de.html
> http://www.wdr.de/themen/politik/nrw/demo_internetzensur/index.jhtml
> http://www.heise.de/tp/r4/artikel/12/12733/1.html

Quite apt.  This is exactly right.  He removed things that were, shall
we say, difficult to reconcile with the official Roman reality.  Too
many people still try to do this.

> Sorry I have this guy only in german.
> This guy odered some local ISPs to making sites unavailable mostly by
> forging DNS entries kept in their local resolvers. I was told by
> peoply unvolontarily working for him that more than 6000 sites were
> involved. Quite a lot of them collateral damage.
> The latin version says this guy is taking things out of books so the
> ordinary roman was not annoyed by distateful things. I guess you see
> the irony.

In reference to the German politician, it is more than irony, it fits.

In reference to ICANN, not so good a fit.  It was to that, that I had
been reacting.

> B?ssow ment to keep journalists from seeing sites in the USA and
> Canada that would be prosecuted in Germany.
> His helpers felt invited to do a lot more good and played some
> tricks on their "friends". In Germany we do not pick a leave from a
> tree. We cut the tree and dig out the root.

;-]  That trait has been observed by other national observers, yes,
although I don't think I've seen that fine analogy before.

> If you have to live with a resolver that is answering as slowly as
> this one
> ; <<>> DiG 9.1.3 <<>> www.peter-dambier.de @www-proxy.UL1.srv.t-online.de
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;www.peter-dambier.de.          IN      A
> www.peter-dambier.de.   6000    IN      A
> ;; Query time: 2118 msec
> ;; SERVER:
> ;; WHEN: Thu Mar 23 13:59:57 2006
> ;; MSG SIZE  rcvd: 54
> my local ISP, then you feel tempted to use a foraign resolver. So
> for me running my own independent resolver was a must.

Considering how often DNS is called in the background for many simple
transactions, a 2.118-second lookup is unconscionable.  I agree with
your analysis.

> But many of my colleages are not computerscience people. Many of the
> poor buggers are running some flavour of windows. For them it is life
> behind the big chinese firewall if they cannot find an open resolver.
> Please excuse if I overreact a bit on this matter.

Whatever our disagreements on other matters, on this one I am in full
sympathy with you.  ;-)  ;-(

Joe Yao
   This message is not an official statement of OSIS Center policies.

More information about the NANOG mailing list