- Related Stories
-
Bots slim down to get tough
November 16, 2005 -
'Bot herders' may have controlled 1.5 million PCs
October 21, 2005 -
DNS servers--an Internet Achilles' heel
August 3, 2005 -
New worm poses DoS attack threat
October 31, 2003
The new DOS attacks first emerged in late December and kicked into high gear in January, before dying down four weeks ago, said Ken Silva, VeriSign's chief security officer. In less than two months, 1,500 separate Internet Protocol addresses were attacked using this method, he noted.
"These attacks have been significantly larger than anything we've seen," he said.
Under a more common DOS attack, a network of bots, or compromised PCs commandeered by remote attackers, directly inundates a victim's Web server, name server or mail server with a multitude of queries. The goal of a DOS attack is to crash the victim's system, as it tries to respond to the requests.
But in this latest spate of DOS attacks, bots are sending queries to DNS (domain name system) servers with the return address pointed at the targeted victim. As a result, the DNS server, rather than the bot, makes the direct attack on the victim. The net result is a stronger attack and an increased difficulty in stopping it, Silva said.
While it is possible to stop a bot-delivered DOS attack by blocking the bot's IP address, blocking queries from DNS servers would prove more difficult, Silva said. He noted that companies could reconfigure their DNS servers to prevent the so-called recursive name service feature, as a possible solution. But he added that companies may be loath to prevent potential customers, partners, researchers and others from sending queries to their DNS.
- More from News.com on this story's topics
Security
Domain names
Security threats
Hacking
VeriSign
See more CNET content tagged:
denial of service,
VeriSign Inc.,
DNS server,
bot,
query


http://domainnamewire.com/2006/03/16/verisign-spin-machine-moves-into-high-gear/
3-way handshaking has been around for quite a few years now and thus it's nothing new... except for those whom have yet to implement it.
Thus even if you receive a DNS reply which you didn't ask for... 3-way handshaking should drop the packet because it wasn't requested... even if it's from your own DNS server!
Walt