A look at DNSSEC amplification attack again

The query "dig +dnssec any isc.org" returns a packet size of 3993 bytes

[ ~]# dig +dnssec any isc.org | grep "MSG SIZE"
;; MSG SIZE  rcvd: 3994

The original query is 50 bytes in size.  If the answer is directed to a victim name server using IP address spoofing (reflector), this action can give an amplification factor of 80.  In theory, a 100 Mbps link can flood out 8 Gbps traffic to DoS a name server.  Woo, no way the name server can survive.

No comments: