Discuss mailing list

[Bersl <bersl2 AT bersl2.info>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2012 01:17 AM, Jeff Taylor wrote:
> This script will block the typical isc.org attacks, however the
> ripe.net attacks we have been seeing over the past week do not get
> trapped.  I've been planning to add new rules to the script to
> catch this new attack, but haven't had a chance yet.

At least based on what I see with my server, I just want to say that
if you look at the actual packets which are meant to trigger the
amplification, there's a really obvious pattern (one that isn't just
blocking lookups to isc.org or anything of the like). I suspect they
structure the packets like this to get through slightly lax firewalls.

Also, an open-ended question that's probably better suited for
dns-operations: Given all the effort going into improving latency for
small HTTP streams over TCP, shouldn't most systems (i.e., those not
attached to high-latency or high-loss links) default to DNS over TCP,
with the UDP as a (rate-limited) fallback? Amplification attacks like
this wouldn't work anymore.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQgB0kAAoJEKDJEQNczrCUubAH/3FuA3z3xECdFpeONW4Q6cCx
Zpq9a3Lj4tFpBs0Pm/piz7wkqDfbTwlGCSSnqRhB4SqtpqlI+6aKWH7V5/Y7WCN7
FNW9AP6iZxbdzHG1w0paFxt2abRH6x68GZj6r7uYgAuMX7AfpPt761FrLL+uKXLL
ZKSwBq3iMGWVIX/VhwFVDeTW5zfoIzC1KiYnGHmGLRRopHlrYSB+NOclFxPipr2W
GCA+PNulbKUucv2Bo0Ea6JlXUGM1lwd8cA7EBHDJJ/n12OAZgMVpF7D+mB2DWull
MmudX7fv8W9UUsg3+xn8N7AtYLZ9eQvaXsB5d2shBA+i2DsQnREw3TrG6c4UfAI=
=tz/F
-----END PGP SIGNATURE-----