>OK. I just want to be clear here, and make sure that I have properly >understood what you have said. Would it be correct, then, to say that >at the present moment you are not actually able to produce, cite, or >describe, with any particularity or specificity, even one individual >specific incident in which 512 byte packets were used to perpetrate >any individual, effective, and successful DDoS attack which actually >resulted in some actual "service" being "denied", and that you are >likewise unable to relate any specifics about any such purported attack >which was in any other way worthy of note?
No. In any reflector attack, the bad guys blast out the requests and the reflectors send back what they send back. Since there are still plenty of DNS caches that don't do EDNS0, some of the traffic is big packets, some is smaller. The victims of the attacks for some reason always have something more pressing to do than to collect detailed statistics on the distribution of the incoming packets, so nobody knows what fraction is what. More to the point, I know you can do arithmetic. The bad guys have botnets of 100,000 hosts or more, and there are at least that many open resolvers (think random networked printers and such) so a factor of 4 in the amplification ratio isn't important. When Doug said they were switching to chargen, he wasn't kidding. There's an unlimited number of things on the net that will respond to incoming packets. R's, John _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
