I've been reading about DNS Amplification attacks recently. It seems like the universal consensus is that running a public UDP recursive DNS resolver without any rate limiting is a terrible idea, because with UDP, the source IP can be spoofed and the (large) responses reflected back to the fake source IP.
But couldn't you spoof the source IP and perpetrate such an attack with a public (which it has to be) authoritative server too?
No comments:
Post a Comment