On Nov 2, 2012, at 4:05 AM, Juha Saarinen wrote:
Are the local open resolvers seen as a problem?
A combination of three things enable DNS reflection/amplification attacks: 1. Lack of anti-spoofing deployed at the customer aggregation edge (shameful in 2012). 2. Open DNS recursors (also shameful in 2012). 3. EDNS0 (necessary). Before going on a chase for open recursors, it would be a wise investment of time and effort to ensure that one has implemented BCP84 anti-spoofing at one's customer aggregation edge. Without the ability to emit spoofed packets, the open recursors can't be abused in this way. Also note that DNS reflection/amplification attacks can be initiated without utilizing open recursors, simply by sending spoofed packets directly to authoritative servers. So, deploying anti-spoofing should be the priority. ----------------------------------------------------------------------- Roland Dobbins <rdobbins(a)arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton