I have heard that DNS reflection is used for: 1. Amplification (this is usually assumed to be the main reason)
2. Make it harder to find the original sender (this is usually assumed to be a secondary reason, or even only a side-effect) What I have not heard, but assume might be a reason: 3. Send traffic through a different path. The (spoofed, victim) IP being attacked might have more than one connection to the "internet", or their ISP at least should have more than one connection. Sending traffic directly will most likely only take one path, and congestion or limiting on that path might limit the amount of traffic that reaches the victim. Reflecting packets off various other (DNS) servers allows traffic to be sent to the client from multiple directions. (For those that don't already have a distributed botnet at their disposal.) Even if we solve DNS Amplification, reasons 2 and 3 seem sufficient for attackers to continue to use reflection. -- Bob Harold DNS operator University of Michigan
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
