.@ Tony Finch – blog


At the moment there are a lot of DNS-based attacks going on. They generally rely on spoofed queries, where an attacker sends a forged DNS query to an open resolver (the reflector) which sends a large response (amplification) to the victim. A lot of people are saying that wider implementation of BCP38 would significantly reduce the problem, because that requires ISPs to filter spoofed packets at their borders. However the DNS relies on referrals from one name server to another, which can be used for reflecting and amplifying attacks even when UDP forgery is prevented.