> In message <606F1AD6-F86A-436B-972E-1F204C64464C@menandmice.com>,
> Chris Buxton wrote:
> >Yes. There is an attack based on DNS queries with forged source
> >addresses.
> >
> >{basic description of DNS amplification attack scenario snipped}

> Although "open" recursive servers are certainly the easiest way to
> obtain the kinds of amplification needed to make an attack of this
> type truly menacing, I have long wondered if that's really the only
> way to obtain serious amplification for such an attack.
> Wouldn't it perhaps be more accurate to say that _any_ DNS server
> that is willing and able to serve up _any_ responses (even ones for
> zones for which it is authoritative) which are significantly larger
> than the relevant queries could be exploited as amplifiers, and thus
> be used as part of such an attack?

Yes. Thats why we keep saying. Deploy BCP 38. Open
recursive servers are just a easy amplifier.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org