On Sep 2, 2008, at 12:44 PM, Dean Anderson wrote: > > I find this hard to believe from three standpoints: > > 1) the expected number of open DNS recursors and their collective > bandwidth doesn't seem to be large enough to support a 40Gbps attack.
Really? With trivial amplification vectors 20 low-speed broadband connected bots can generate nearly 1.5 Gbps of attack traffic. So, that'd put you around 500 or so bots, and any number of open resolvers, to generate such an attack, which is low-hanging fruit these days. Of course, the reported amplification vector was higher than this, the number of bots lowers. > 2) Why would anyone capble of programming bother searching for open > recursors (with often small connection speeds) when they can use 100+ > root servers with large amplification factors and high bandwidth > connections at key exchange points? We'll leave that an exercise for the reader... > 3) Why aren't these attacks being prosecuted? Someone searching for > open > recursors is bound to be noticed. The only people I know of searching > for open recursors is UltraDNS and a scientific group at Cornell. Searching for open recursors and launching an attack are two entirely different things. And launching spoofed-based attacks makes finding the attacking sources more difficult. And given that they're most always botted, you then have to find a C&C, and then an attacker stepping stone, etc.., etc., No need for rehashes of this here, methinks. > I'll wait to see the report. It will also be interesting to find out > who was surveyed. If it turns out to be primarilly NANOG (the source > of > the original reports), I'll be more dubious. No, there's quite a wide distribution of responses, but mostly *OG types in various regions. > Mr. McPherson is > associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 > people have attended more NANOG meetings than Mr. McPherson. Interesting tidbit, I had no idea. Useless, but interesting :-) -danny _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
