> From: "John Levine" <jo...@iecc.com> > The real solution is BCP 38, to keep spoofed packets out of the > network in the first place.
Indeed. As many have mentioned, DNS reflection attacks are merely the current fad, driven partly by 10X or higher amplification (<50 byte queries, >500 byte responses) and partly by the lemming syndrome of any fad. There are have been, are, and will be many other protocols used in reflection attacks until BCP 38 is the de facto standard. Smurf was an old example https://www.google.com/search?q=smurf+reflection+attack See also ntp https://www.google.com/search?q=ntp+reflection+attack Chargen is another one from the ancient suite of of the small services https://www.google.com/search?q=small+udp+service+reflection+attack that is reportedly popular again. https://www.google.com/search?q=chargen+attack&tbs=qdr:m See also NTP, timed, and others. The standard reaction to a list like that from experts who invent Final Ultimate Solutions to the Spam Problem is incoherent nonsense about TCP and/or authentication. They neither know nor care TCP has long been and still is a very popular in reflection DoS attacks. https://www.google.com/search?q=tcp+syn+attack Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
