Reindl Harald <h.rei...@thelounge.net> writes: >Am 16.12.21 um 14:56 schrieb Andrew P.: >> Reindl Harald <h.rei...@thelounge.net> writes: >> Am 16.12.21 um 14:22 schrieb Andrew P.: >>>> You don't understand what kind of blacklist I want; I want to blacklist >>>> the domain name >>>> being asked for, so I don't answer for it. I'm not looking to blacklist >>>> forged IP addresses >>>> of requestors (since we all know criminals don't use their own identities; >>>> they use the >>>> identities of innocent bystanders). >>>> >>>> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am >>>> not a rootserver, and never will be. >>> >>> AGAIN: you don't gain anything by not responding on a UDP protocol >>> because the client can't distinct no response and packet loss >> >> AGAIN, the criminal DDoS attacker who's creating these forged requests isn't >> looking for replies to themselves > >but a legit client does while these attacks aren't successful at all
And you still haven't told me who would be a legitimate client making that request for the root domain from my nameserver. Frankly, I can't think of _anyone_ who should be making that request of my nameserver. Sure, it's a legitimate request to make of someone's first-hop ISP-provided caching-only nameserver, or of a root nameserver. But not against _my_ nameserver. Or are you claiming there is DNS spoofing out there identifying legitimate name servers as authoritative for domains they are not actually authoritative for? Seems like a rather useless form of DNS spoofing, when such attackers could more usefully (to them) direct victims to nameservers under the attacker's control. >> they're looking to abuse some poor victim. And the victim can't make the >> attacker shut up > >this attacker must be pretty dumb then because the ANY request makes >only sense if it get answered and the response is magnitudes larger then >the request Not if the attacker has a huge bot-net to make the requests. He doesn't care how much of the bots' network capacity is used up, since the attacker isn't paying for it. And, based on the same philosophy as spam, if they hit enough name servers, some of them will be insecure and provide the full response, while even those who only send an error packet still need to have that packet consumed at the victim. >hence you need to send them to a server giving a full answer to the victim No, not if you get enough error responses, it will still work. It just takes more. >with just a error response he could send it's attack traffic directly >given that the attacker needs the full bandwidth anyways and not using a >valid DNS request, just blow out traffic to UDP 53 And why should the attacker give away the location of all his bots, when he can get all these legitimate nameservers to take the blame? >one couldn't care less about attackers which don't know what they are doing I suspect they do know what they are doing, or they wouldn't be wasting their time doing it. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users