Open Resolver Problems
Patrick W. Gilmore
patrick at ianai.net
Tue Mar 26 12:07:22 UTC 2013
On Mar 26, 2013, at 08:01 , "Dobbins, Roland" <rdobbins at arbor.net> wrote:
> On Mar 26, 2013, at 6:50 PM, Jamie Bowden wrote:
>
>> let's suppose I just happen to have, or have access to, a botnet comprised of (tens of) millions of random hosts all over the internet, and I feel like destroying your DNS servers via DDoS;
>
> DNS reflection/amplification attacks aren't intended as attacks against the DNS, per se; they're intended to crush any/all targeted servers and/or fill transit pipes.
To be more clear, the point of DNS reflection attacks is to amplify the amount of bandwidth the botnet can muster (and perhaps hide the true source).
If you have 10s of millions of bots, you don't need to amplify. You can crush any single IP address on the 'Net.
> Same for SNMP and ntp reflection attacks.
And far too many other things. :(
--
TTFN,
patrick
More information about the NANOG
mailing list