Open Resolver Problems

Patrick W. Gilmore patrick at ianai.net
Tue Mar 26 12:07:22 UTC 2013


On Mar 26, 2013, at 08:01 , "Dobbins, Roland" <rdobbins at arbor.net> wrote:
> On Mar 26, 2013, at 6:50 PM, Jamie Bowden wrote:
> 
>> let's suppose I just happen to have, or have access to, a botnet comprised of (tens of) millions of random hosts all over the internet, and I feel like destroying your DNS servers via DDoS;
> 
> DNS reflection/amplification attacks aren't intended as attacks against the DNS, per se; they're intended to crush any/all targeted servers and/or fill transit pipes.

To be more clear, the point of DNS reflection attacks is to amplify the amount of bandwidth the botnet can muster (and perhaps hide the true source).

If you have 10s of millions of bots, you don't need to amplify. You can crush any single IP address on the 'Net.


> Same for SNMP and ntp reflection attacks.

And far too many other things. :(

-- 
TTFN,
patrick





More information about the NANOG mailing list