DR-DOS through DNS recursion

Slashdot is reporting on DDoS Attacks Via DNS Recursion. As often the case over there, it’s old news.

Back to the issue. Some AC nicely explains: You just send requests to the DNS server spoofing yourself as the victim’s IP. (UDP is much easier to spoof, and can be sent out very quickly.) The replies, which are some 30 times larger than the requests, get sent to the spoofed IP (victim). It is a classic form of amplification attack.

Personally, I’d rather call it a Distributed Reflection Denial Of Service attack (DRDOS). The packets are reflected by internet facing recursive DNS servers. Which are a bad thing, for lots of reasons. DNS servers need to resolve recursive queries for ‘local users’ only. Whether those are on a LAN, or an ISP’s customer. But not the whole world. Hosting specialists will also explain that it is a bad idea to mix authorative servers and recursive servers on the same machine, even if they are set up with ACL‘s dividing those roles, but that is another issue.

But now, what would be the difference to start a DRDOS attack by sending spoofed requests to authorative servers, querying for records they are authorative for? E.g. spoof a dns request querying www.microsoft.com and send that UDP packet to a microsoft.com authorative name server. Looks like a comparable risk, or am I missing something?

Yes, everything is a fscking dns problem 🙂