On 2012-06-10, Rudolf Leitgeb <rudolf.leit...@gmx.at> wrote: > Am Sonntag, den 10.06.2012, 00:37 +0000 schrieb Stuart Henderson: >> On 2012-06-09, Kostas Zorbadelos <kzo...@otenet.gr> wrote: >> > I am interested to hear possible solutions in other layers as well. >> >> http://fanf.livejournal.com/122111.html seems a nice approach... > > This seems to work nicely if the attacker spoofs random addresses or > if the real target is not the DNS server but the endpoint receiving > its replies (therefore the term "amplification attack").
Yes that's kind-of implied by "amplification attack". Queries are sourced from a false address (the actual target of the attack), with the intention to direct larger DNS responses at the target. > In Kostas's case it appears the attacker spoofs legit client addresses, > which means rate limiting would likely cut off these clients. >From the followup mail it sounds like these are queries being generated directly from client machines on the network i.e. DDOS rather than amplification. So what is causing the queries? Client PCs under the control of attackers? CPE routers with broken configuration allowing global access to DNS forwarders?
