[email protected] wrote:
Reflective multiplication attacks are the current vogue. Send a small DNS
query with a forged return address to a authoritative server and get a much
larger reply in turn.
NTP wouldn't be a good target for such an attack because the response is the
same size as the query. Could still be used in a reflective attack but it
wouldn't have the multiplication effect of a reflective DNS attack.
You forget that the reply to some administrative commands is much larger than
the request.
When these are allowed they can be used for amplification.
However, as seen in actual attacks the DDoS people have already past this
station.
First, they sent bare SYN packets from spoofed source addresses -> connection
table overflow.
It was fixed by SYN COOKIES and other measures.
Then they used DNS amplification to generate a lot of traffic. But this
traffic is easily filtered
as it is not the traffic a server normally sees (e.g. TCP traffic to port 80 or
443)
So the method now is to setup complete connections from systems in a botnet,
connections
that do not only complete at TCP level but also attempt to start application
transactions. Like
fetching a webpage, logging in to a "my xxxxxx" page, etc.
This poses more diffcult challenges for the operators. And it is very easy to
find the systems
willing to act as the traffic source, given the large number of poorly
administered home computers.
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
