1. DNS/RFC/5358
J. Damas (ISC), F. Neves (Resgistro.br) October 2008
https://tools.ietf.org/html/rfc5358
こういう攻撃もあるという例:
3. Problem Description https://tools.ietf.org/html/rfc5358#section-3
Because most DNS traffic is stateless by design, an attacker could start a DoS attack in the following way:
- The attacker starts by configuring a record on any zone he has
- access to, normally with large RDATA and Time to Live (TTL).
- Taking advantage of clients on non-BCP38 networks, the attacker
- then crafts a query using the source address of their target victim and sends it to an open recursive nameserver.
- Each open recursive nameserver proceeds with the resolution,
- caches the record, and finally sends it to the target. After this first lookup, access to the authoritative nameservers is normally no longer necessary. The record will remain cached at the open recursive nameserver for the duration of the TTL, even if it's deleted from the zone.
- Cleanup of the zone might, depending on the implementation used
- in the open recursive nameserver, afford a way to clean the cached record from the open recursive nameserver. This would possibly involve queries luring the open recursive nameserver to lookup information for the same name that is being used in the amplification.
Taking advantage of an open recursive nameserver that supports EDNS0 [RFC2671], the amplification factor (response packet size / query packet size) could be around 80.
With this amplification factor, a relatively small army of clients and open recursive nameservers could generate gigabits of traffic towards the victim.