On Sun, 15 Feb 2009, Greg A. Woods; Planix, Inc. wrote: > On 15-Feb-2009, at 3:43 AM, Robert Edmonds wrote: >> cache snooping can also facilitate amplification attacks, see RFC 5358. > > No, not without recursion enabled it can't. In the last month, there've been a number of multi-day amplification attacks using spoofed "NS ." queries to ~750,000 nameservers. The requests were 45 bytes and the responses were ~500 bytes, making this 11 to 1 amplification. The victims (the spoofed sourced addresses) were seeing 5 gigabits of responses. See http://www.theregister.co.uk/2009/02/10/new_dns_amplification_attacks/ for the overview and the thread starting with http://www.merit.edu/mail.archives/nanog/msg14429.html for the details of one of the attacks. There aren't 750,000 nameservers authoritative for ".", so why did they all respond to it? They all either have recursion enabled for the world, or they allow cache snooping. If your nameservers respond to requests from anywhere for "dig . ns @your.ns.ip" with anything but Refused, they probably were participating. -- Aaron