Geo. wrote:
What feature of DNS is being exploited, UDP or the fact that there are a lot of dns servers you can use?
I think that this is probably a better point than you think. It's almost impossible to change the design of the DNS protocol now but, going foreward, I think that we do need to add to the best-practices list that any UDP based protocol that has an ability to produce packet size amplification, and that is likely to be available to the public (i.e. not firewalled off just on principle) should be modified so that, before large packets get sent back to a client, that the service have some sort of 'hello' type protocol that requires that the initiating machine can prove that it's actually able to receive the packets that it's causing to be produced. Even something as simple as syn cookies would probably make amplification difficult for most attackers. To put it another way: UDP as a purely connectionless protocol is fast becoming a liability in situations where significant amplification is possible. -- Stephen Samuel +1(778)861-7641 samnospam@xxxxxxxxxxx http://www.bcgreen.com/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.