[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] New DDoS attack vector
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] New DDoS attack vector
- From: "Dobbins, Roland" <rdobbins@xxxxxxxxx>
- Date: Fri, 20 May 2011 14:20:28 +0000
On May 20, 2011, at 8:43 PM, ascii wrote:
> the attack you proposed is very stretched and has an extremely low
> efficiency.
I believe that the 'attack' is actually backscatter from a targeted attack
against the MTAs/antispam systems/recursive DNS servers of the organization
whose MTAs were inundated with spam in the first place. It's a layer-7
amplification attack, and while the DNS backscatter queries can cause a DoS of
the third party's authoritative DNS servers, that's merely a byproduct of the
actual attack - i.e., collateral damage.
The confusion is caused by a misinterpretation of the observed attack traffic
and misanalysis of the attack methodology, stemming from misidentification of
the actual target of the attack.
Again, there's nothing really new here, and defensive measures exist for both
the primary attack vector and the backscatter queries which affect the third
party's DNS servers. This isn't a new DDoS attack vector or technique.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/