> From: "Ronald F. Guilmette" <r...@tristatelogic.com> } That is an interesting contention. Is there any evidence of, or even any } reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE } using strictly 512 byte packets? } } If that's actually a real problem, then I am forced to assume that there } must have been numerous reliable reports of successful and devastating } DNS reflection DDoS attacks which pre-dated the widespread adoption of } EDNS0. I am not sure where or how I would be able to unearth archived } but contemporaneous news accounts of such incidents, so if you could } send me some links to archived copies of a few such pre-EDNS0 DDoS } reports, I sure would appreciate it.
Expecting to get detailed (e.g. packet dumps, packet sizes, IP addresses, ASNs) reports of DDoS attacks is like expecting samples of spam from anti-spam operators. Even the general outlines of reports tend to be private. .... > At which server? The numerous DDoS-participating individual intermediaries? > Or the (singular) DDoS victim? It wouldn't hurt to learn about the DNS protocol in general and DNS reflection attacks in particular before parachuting in with the Final Ultimate DNS Reflection DoS Attack Solution. Besides the facts that DNSSEC makes the problem worse and that EDNS0 was not the genesis of DNS reflection attacks, "intermediary" is a poor fit for a recursive DNS resolver (but might fit a stubb resolver). A recursive server answers from its cache. After it has recursed and until TTLs expire, a recursive server acts like an authority. That is why the query handling code in a DNS server implementation tends to treat its cache like a zone file. "Intermediary" simply does not fit the problem of open resolvers in DNS reflection attacks, because a DNS referral can give plenty of amplification. For example, I get more than 500 bytes of UDP payload from `dig +norecurs example.com` and almost 900 bytes from `dig +dnssec +norecurs example.com`. (If a recursive answering with a referral is an "intermediary", then so is every non-leaf authority.) "Singular DDoS victim" is off the mark compared to "DDoS victim." For obvious reasons, multi-Gbit/sec attacks often affect entire networks. (Multi-Gbit/sec attacks are more common than one might understand from some press releases.) In addition, there can be multiple IP addresses in an attack, and none of the target IP address need be in use by any hosts. Any host that is at a targeted address is not expecting the DoS packets and is be sending send as many ICMP Port-Unreachable error messages as its ICMP rate limits and firewalls allow (often none)--not to mention what the incoming flood might have done to BGP sessions and so forth and so on. Consider the implications of those facts, as well as the general meaning of "denial of service attack" on any Final Ultimate Solution that requires DDoS victims to send packets to DNS servers. Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
