I agree that both approaches do not help against reflection. However, they do take away the amplification making the attack less attractive.
09:47:34.587094 IP localhost.41054 > localhost.domain: 16533+ [1au] ANY? prague.studlab.os3.nl. (50) 09:47:34.587501 IP localhost.domain > localhost.41054: 16533*|$ 0/0/1 (50) -Javy On Jan 10, 2013, at 9:34 AM, Lutz Donnerhacke <[email protected]> wrote: > * Colm MacCárthaigh wrote: >> On Wed, Jan 9, 2013 at 4:24 PM, Scott Brynen >> <[email protected]> wrote: >>> In an interesting development to this, UltraDNS are starting to REFUSE a >>> UDP/ANY request on some of their name servers. >> >> Considering that a status=REFUSED response is exactly as large as a >> TC=1 response with no answer section, is there a technical benefit to >> responding with REFUSED? > > Both approches does not help. The traffic generated by such small answers to > spoofed queries is still sufficient to bring the target down. Be there, done > that, got sued. > > That's why I switched to a much more aggressive "DNS dampening". > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
