The query "dig +dnssec any isc.org" returns a packet size of 3993 bytes
[ ~]# dig +dnssec any isc.org | grep "MSG SIZE"
;; MSG SIZE rcvd: 3994
The original query is 50 bytes in size. If the answer is directed to a victim name server using IP address spoofing (reflector), this action can give an amplification factor of 80. In theory, a 100 Mbps link can flood out 8 Gbps traffic to DoS a name server. Woo, no way the name server can survive.
No comments:
Post a Comment