Fred Morris wrote: > On Sun, 31 Mar 2013, Jim Reid wrote: >> Remember too that in these DDoS attacks truncated UDP responses would >> still be going to spoofed addresses. So those victims still get hit, >> albeit without the amplification factor of a chubby DNS response. > > Yes. But there's no reason for them to abuse the DNS (no reason not to, > either) as they can send packets with spoofed source addresses directly at > the target. They're doing it anyway to direct them at the intermediate DNS > resource: but they could just cut the middleman out altogether and spoof a > fat DNS response from your nameserver, couldn't they? Or anything else. > Point is, since they spoof source addresses, they can spoof source > addresses; it's not even a tautalogy, it's identity. > > They're doing it for the amplification.
i mostly agree. however, reflection offers one other minor boon, which is a longer traceback path. that's why RRL attenuates both the packet size and packet count. the deal we're offering attackers is, you can reflect through here, but it'll cost you a lot more. we think the residual benefit of reflection is not worth the attacker's cost, if they have to send both more and larger packets than will be seen by the victim. paul
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
