DNS DDOS

[Matthew Carpenter]

On Thu, 24 Oct 2002 17:30:18 -0500
"David A. Bandel" <david at pananix.com> wrote:

True, but simple or not, it would have given much more of a fighting
chance.  I'm pretty sure that the DNS systems go toes-up a whole lot
quicker than the pipe would get filled.  I'm just surprised that the DDOS
was staged using ICMP at all.  If you're going to attack the root DNS
servers, wouldn't it be more logical to generate queries to UDP/53?  That
would be a lot more difficult to block.  DDOS-ing a server IP stack is
still tons easier than filling a pipe to NASA, the government, or any of
the other root-server maintainers.  A server process would be a lot easier
still.

> Not quite that simple.
> 
> Just because you are dropping ICMP packets doesn't mean your pipe's not
> full.  True, they'd have to send twice as many packets to get the same
> effect, or double the packet size, which is simple (since your system
> isn't acting as its own worst enemy by generating more packets). Your
> system also is processing those packets (dropping them).  So would have
> to be an upstream router (several actually) dropping those incoming ICMP
> packets for this to work.