[nycbug-talk] dns abuse

Andy Kosela akosela at andykosela.com
Thu Jan 22 03:00:54 EST 2009


Yarema <yds at coolrat.org> wrote:

> As for the "security through obscurity" argument.  Now that I've thought
> about it I do not believe it applies with this attack.  If the attacker
> sends queries to which my server replies because it is authoritative for
> that zone -- then only my servers will be "flooding" the spoofed
> address.  It stops being a DDoS attack because no one else's servers
> will respond to such queries and therefore the victim's spoofed address
> will not be flooded like it is with a query for the "." zone.  Queries
> for com, org, net, &c. &c. zones also do not get amplified by a server
> not set up as authoritative for those zones.  The more I think about it
> the more it seems like an exploit of the fact that many BIND servers do
> not properly configure the split between serving authoritative records
> and resolving/caching.

Configuring "views" in BIND can help.  Many servers at the same time are
authoritative for some zones *and* need to provide recursive queries for
some of its clients.  Even if you disable recursion for most of the
world, "." zone still get served.  Yarema, that split you written about
is indeed desirable in the current situation.

--Andy



More information about the talk mailing list