Tightened DNS security question re: DNS amplification attacks.

Chris Adams cmadams at hiwaay.net
Tue Jan 27 22:19:40 CST 2009


Once upon a time, David Andersen <dga at cs.cmu.edu> said:
> Actually, ". IN NS" is a particularly useful thing for them to do,  
> because it's an almost globally guaranteed response that will get a  
> large response and be in cache.

That's only true on servers that aren't well-configured.

> "<tld>. IN NS", of course, but the set of things that work well for  
> such an attack are relatively limited.

Try "aol.com. MX", "hotmail.com. MX", any domain with a big SPF TXT
record, etc.  There's nothing really special about ". NS".  If somebody
is serving cached data to the world (even if they aren't recursing for
the world), there are any number of things that are likely in the cache.

And, since most people have SMTP servers, it is often easy to "prime"
somebody's cache, since the SMTP servers often use the same DNS servers.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.




More information about the NANOG mailing list