So how big was it *really*?

Jared Mauch jared at puck.nether.net
Thu Mar 28 13:41:37 UTC 2013


On Mar 28, 2013, at 9:29 AM, Harry Hoffman <hhoffman at ip-solutions.net> wrote:

> It's interesting, this just came up on gizmodo. As I said in another
> forum, take it for what it's worth:
> 
> http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie

I can't comment in detail, but there are some "lost in translation" moments with the reporting.  

If you look at externally observable data, something surely happened at LINX on the 23rd:

https://stats.linx.net/cgi-pub/aggregate/week

I think it's easy to get fully into a doom-and-gloom scenario, but even if the numerical reporting is correct there wasn't a broad impact observed similar to slammer/blaster where everyone was congested.

I will say, please don't treat this as 100% hype and look at unicast-rpf and securing your DNS servers in parallel.  That threat certainly is real.  With 21,432,212 hosts that respond to dns queries (with the right answerl not including those that send a referral to root which is quite large), an amplification attack would be quite easy.  It's somewhere around 1:173 hosts run a service that responds.  That is real and clearly measurable.

your bind settings to look for are:

http://www.zytrax.com/books/dns/ch7/queries.html

  additional-from-auth yes | no ;
  additional-from-cache yes | no ;

- Jared



More information about the NANOG mailing list