[u-u] DNS Reflection Amplification Attack Mitigation

klodefactor at gmail.com klodefactor at gmail.com
Wed Dec 10 10:28:56 EST 2014

Just thinking out loud here...

You were dropping their packets on the floor? Any chance you were replying with an ICMP unreachable message?  I just don't want to ignore an obvious case.

If only dropping, the attacker could implement a rudimentary heartbeat by changing the target IP now and then, to a system of their own.

It's a bit cumbersome, and it risks early exposure of part of their C&C systems and communication; the heartbeat receiver ("stethoscope"?) would be easy to find.  But this heartbeat has the advantage of being able to change the detector easily: just change the target IP for the heartbeat.

As for risks to C&C, I imagine a botnet would be handy :-).

Assuming it's not just a coincidence...

-----Original Message-----
From: "Hugh Gamble" <hugh at phaedrav.com>
Sender: u-u-bounces at unixunanimous.orgDate: Tue, 9 Dec 2014 14:54:43 
To: <u-u at unixunanimous.org>
Subject: [u-u] DNS Reflection Amplification Attack Mitigation

u-u mailing list
u-u at unixunanimous.org

More information about the u-u mailing list