Hello, welcome to the Wednesday, March 18th, 2020 edition of the Sansanet Storms,

and I'm a recording from Jacksonville, Florida.

Over the last couple of weeks, I took a closer look at some reflective DNS denial of service attacks.

And while these attacks are not anything new, they are certainly not going away.

And I just want to get a feel for where these attacks are at currently.

Now, one thing that keeps popping up with these attacks is that the DNS records being used to amplify these attacks

are quite often.gov domains. Actually, in the sample here, and admittedly, this is a little bit

of random sample. It may be somewhat biased, but the number one domain by far being used here is access dashboard.gov.

We had before, for example, PeaceCorp.gov being used in this manner.

And part of the reason for this is not just that.gov domains, of course, are typically sort of considered trusted and not usually blocked.

The real problem here is that all.gov domains typically use DNSSEC.

And DNSSEC actually works in the favor of these denial of service attacks.

It does actually make them somewhat worse.

Because like in this case, this domain really only has one A record that's being returned

here, but they're also returning all of these DNSSEC records, all of the keys and the signatures,

and that increases the size of the response here to about 2 kilobytes.

Second domain, or second, I should say, record that was being requested as part of these denial of service attacks,

was also the name servers for the root zone.

Now, this priming response, as it's sometimes called, is often enabled on

Windows name servers. So that's why this is kind of a popular query, not quite as bad as some of these

dot-gov records, but still, you get 823 bytes in this response.

Now, the targets IRC servers, you know, again, sort of something that's not really going

...