Dobbins, Roland wrote:
On Feb 19, 2014, at 12:48 PM, Joe Maimon <jmaimon@ttec.com> wrote:
What I cant figure out is what is the target and how this attack method is any more effective then the others.
The target appears to be the authoritative servers for the domain in question, yes?
I dont think so, but I have not compiled the full list of domains and compared the auth servers for each.
The attacker may consider it more effective because it provides a degree of obfuscation, or maybe he has some reason to game the operators of the authoritative servers in question into denying requests from your recursors.
Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and they tend to copycat one another and do the same things due to magical thinking.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton