On a related note; I've been running an Urban Terror game server open to the internet at our community house and seeing very high traffic occasionally (mostly outbound, fully saturating our ADSL).� It took me longer than it should have to figure out what was going on, seems that the Urban Terror server can be exploited as a UDP traffic amplifier too.

http://www.urbanterror.info/forums/topic/27825-drdos/


On 4 November 2012 17:21, Dobbins, Roland <rdobbins@arbor.net> wrote:

On Nov 2, 2012, at 4:05 AM, Juha Saarinen wrote:

> Are the local open resolvers seen as a problem?

A combination of three things enable DNS reflection/amplification attacks:

1. � � �Lack of anti-spoofing deployed at the customer aggregation edge (shameful in 2012).

2. � � �Open DNS recursors (also shameful in 2012).

3. � � �EDNS0 (necessary).

Before going on a chase for open recursors, it would be a wise investment of time and effort to ensure that one has implemented BCP84 anti-spoofing at one's customer aggregation edge. �Without the ability to emit spoofed packets, the open recursors can't be abused in this way.

Also note that DNS reflection/amplification attacks can be initiated without utilizing open recursors, simply by sending spoofed packets directly to authoritative servers. �So, deploying anti-spoofing should be the priority.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>

� � � � � Luck is the residue of opportunity and design.

� � � � � � � � � � � �-- John Milton

_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog