On Jun 10, 2012, at 23:59, Kyle Creyts wrote: > On Sun, Jun 10, 2012 at 2:33 PM, Paul Vixie <p...@redbarn.org> wrote: >>> I'm afraid we may need more control. If my clients are generating a DDoS >>> attack at 20 responses per second, and I limit this to 5 per second - >>> the C&C can get the same effect by mobilizing four times as many clients >>> to do the job. >> >> no. the client ip is spoofed. the number of spoofers doesn't matter, >> when the reflector is looking at both the apparent client ip and the >> intended response. when most well-provisioned authority servers are >> running with some kind of rate limiting, then the only way to do a >> reflective amplifying ddos will be (a) do it through recursive not >> authority servers, or (b) send a small number of queries to a large >> number of authority servers, or (c) switch to some other wide area udp >> such as ntp or snmp or syslog or whatever. > > Someone mentioned that as soon as the spoofed client is blocked, that > a new spoofed client is used... This behavior seems... strange. How > quick is this shift? How would one know when to shift the target? The > modes I _can_ come up with largely involve having some sort of > information about what is reaching the target. (bandwidth or traffic > sources) This just leads to more interesting questions about those > perpetrating the attacks, and their intent. Is there an obvious way of > discerning the time to switch targets that I am missing? Is this a > non-interesting topic?
>From what I've seen, in our specific case, the apparent source address seems to swap every thousands requests or so, with a few exceptions. This is from running dnstop on our auth nameservers for a few hours. HTH, Jona _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs