Geo. wrote:
> What feature of DNS is being exploited, UDP or the fact that there are a lot
> of dns servers you can use?
>
I think that this is probably a better point than you think.
It's almost impossible to change the design of the DNS
protocol now but, going foreward, I think that we do
need to add to the best-practices list that any UDP based
protocol that has an ability to produce packet size
amplification, and that is likely to be available to the
public (i.e. not firewalled off just on principle) should
be modified so that, before large packets get sent
back to a client, that the service have some sort of 'hello'
type protocol that requires that the initiating machine
can prove that it's actually able to receive the packets
that it's causing to be produced. Even something as
simple as syn cookies would probably make amplification
difficult for most attackers.

To put it another way: UDP as a purely connectionless
protocol is fast becoming a liability in situations where
significant amplification is possible.

--
Stephen Samuel +1(778)861-7641 samnospam (at) bcgreen (dot) com [email concealed]
http://www.bcgreen.com/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.

[ reply ]