----- Original Message ----- From: "Jaap Akkerhuis" <jaap@NLnetLabs.nl>

For those not on NANOG, on that list is quite some discussion going on about using (recursive) name servers for amplicication attacks. The discussion starts at http://www.merit.edu/mail.archives/nanog/threads.html#16000.o

There is a special mailing list devoted on this problem by the isc: http://lists.oarci.net/mailman/listinfo/dns-operations, and this list is open to anyone.

There is an US cert warning about this: http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf.

The upshot is: Close your open recursive nameservers.

Other info: http://dns.measurement-factory.com/surveys/sum1.html and a plug for a secure template by the cymru guys: http://www.cymru.com/Documents/secure-bind-template.html

Maybe all this is worth a slot at the coming dns-wg (or eof) meeting?

jaap

Acknowledgement: Information compiled from messages from Harvey Allen, Lucy Lynch, Rob Thomas and others.

It might be worth mentioning that DNS is not the only service being abused for this kind of attack. Strictly speaking, any service replying to spoofed packets with more data than what they received are affected. That includes the tcp protocol and also authorative namservers (tip: dig -t a b.n @a.nic.fr) that respond to queries. But recursive nameservers are obviously an easier target.. for now. j (which finds it interesting that people are discussing this issue now and not in around year 2000 which was, at least for me, the first time I noticed this problem.)