nanog mailing list archives
Re: DNS requests from 209.67.50.203
From: "Bora Akyol" <akyol () akyol org>
Date: Wed, 10 Jan 2001 20:38:11 -0800
I am still curious as to why *this* attack would even exist (seeing that it uses a spoofed source IP address) if people were filtering traffic that were originationg from their networks properly. I thought we discussed this already last month on the list. Bora ----- Original Message ----- From: "Vern Paxson" <vern () ee lbl gov> To: "Jared Mauch" <jared () puck Nether net> Cc: "Steven M. Bellovin" <smb () research att com>; <jtk () aharp is-net depaul edu>; <nanog () merit edu> Sent: Tuesday, January 09, 2001 6:45 PM Subject: Re: DNS requests from 209.67.50.203
A good way to reduce this is to turn off recursion for people not on your network for your dns server. This is fairly easy to do with bind8/bind9.The attack isn't via recursive lookups (though recursion could help
augment
the attack). The reflection is in terms of the DNS reply to the purported requestor (really the victim). At lbl.gov, none of the requests result in further lookups from our nameserver. But the victim still receives the
reply
stream, which from a combined large number of name servers is very large. See my draft paper ftp://ftp.ee.lbl.gov/.vp-reflectors.txt for a discussion of reflector attacks. Vern
Current thread:
- Re: DNS requests from 209.67.50.203 Steven M. Bellovin (Feb 24)
- Re: DNS requests from 209.67.50.203 Jared Mauch (Feb 24)
- <Possible follow-ups>
- Re: DNS requests from 209.67.50.203 Vern Paxson (Feb 24)
- Re: DNS requests from 209.67.50.203 Bora Akyol (Feb 24)
- Re: DNS requests from 209.67.50.203 Matthew Zito (Feb 24)