On Aug 1, 2012, at 7:50 AM, Don Stokes wrote:
AAAA records for all the listed services will produce a pretty decent sized response without needing to throw DNSSEC at it
We've been seeing large (100gb/sec+) DNS reflection/amplification attacks for years. Yes, the attacker will identify a big TXT record, or he will execute an ANY query (blocking ANY queries during an attack is a rational response, although this will break qmail), or he will query any DNSSEC-enabled server and be guaranteed that the minimum response size he will get will be at least 1300 bytes. We see all of this routinely.
The real solution is for providers to filter source addresses at the edge so that this kind of spoofing can't happen.
Yes, along with ensuring you're not running open recursors - but you can (and should!) do this only for networks within your span of administrative control. There is a rate-limiting patch for BIND9, but it only goes so far as the box is still pummeled by the queries. Reaction tools such as S/RTBH, flowspec, and/or IDMS [full disclosure - I am an employee of a vendor of IDMS solutions] are also commonly used to mitigate these attacks.
Note that we also routinely see large SNMP, ntp, and Quake3/4 server reflection/amplification attacks, as well.
-----------------------------------------------------------------------
Roland Dobbins