North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS cache poisoning attacks -- are they real?
On Sun, 27 Mar 2005, Randy Bush wrote: > > i have yet to see cogent arguments, other than scaling issues, > against running open recursive servers. > The common example to NOT run them is the DNS Smurf attack, forge dns requests from your victim for some 'large' response: MX for mci.com works probably for this and make that happen from a few hundred of your friends/bots. It seems that MX lookup will return 497 bytes, a query that returns "see root please" is only 236 today. Larger providers have the problem that you can't easily filter 'customers' from 'non-customers' in a sane and scalable fashion. While they have to run the open resolvers for custoemr service reasons they can't adequately protect them from abusers or attackers in all cases. -Chris