Thank you, Comcast.

Roland Dobbins rdobbins at arbor.net
Fri Feb 26 16:30:31 UTC 2016


On 26 Feb 2016, at 23:15, Mike Hammett wrote:

> I think you'd be hard pressed to find more than a tenth of a percent 
> of people attempt to run their own DNS server.

You'll find a heck of a lot more of them doing so unknowingly, because 
they're running misconfigured, abusable CPE devices which can be 
leveraged by attackers to launch DNS reflection/amplification attacks.

Note that outbound/crossbound DDoS attacks can have just as much of a 
negative impact on availability as inbound DDoS attacks; even more, when 
multiple attackers are abusing the same reflectors/amplifiers (which is 
often the case).

And even that small tenth of a percent who're deliberately running their 
own DNS servers can end up inadvertently causing disruption if they're 
running those DNS servers as open recursors.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the NANOG mailing list