Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How do you stop me from pointing my DNS record at your server?


Agreed, when I read this my first thought was it'd have to be some sort of IP based authentication, so you'd have to have a way to prove ownership of the target IP itself, however this doesn't really solve the problem of upstream impacts. Your ISP, colo facility or dedicated service provider probably won't be ok with you running these kinds of tests on their network.


Would be nice for ISPs if they could get something from the DDoS site that their customer authorized it, then they could drop the account and not feel bad about it.


That’s not how domain verification works.

Typically a service using domain verification will ask you to create a specific, randomly generated TXT or similar record on your domain. After you’ve created the record you click a button or something and they do a query for it.

Only someone with access to DNS for the domain can create such a record.


You misunderstood him.

Suppose:

    EXAMPLE.VICTIM.XYZ -> A 1.2.3.4
    EXAMPLE.ATTACKER.XYZ -> A 1.2.3.4
    EXAMPLE.ATTACKER.XYZ -> TXT whatever verification is needed
DDoSes operate on IPs, not dns names. In the end, the target IP is getting DDoSed anyway.


No I didn’t. I was speaking to domain name validation generally - as in a way for you to prove your ownership and control over a domain name.

Yes, of course DDoS or any kind of traffic can be pointed at an IP or any arbitrarily created DNS record.

The only way for a “reputable” stress testing platform to validate IP space would be RIR validation via WHOIS or similar, PTR records, etc. Of course this isn’t practical because most people don’t control their IP space or even have the foggiest idea what any of that means (because why should they).


> Only someone with access to DNS for the domain can create such a record.

That's why OP specified their DNS record. You buy/use a random domain name you own, point the A record at the IP you wish to attach, and then simply complete the TXT record verification since you have full control over the domain, while the booter resolves the A record to the true target.


Yeah but service providers can require than you upload a specific file at a specific location. This way, point your dns all you want.


I wouldn't, but all of the incoming requests would be served on your domain name, so it would be pretty easy for me to find out who that was registered to (or at least who the registrar is) and have it flagged for abuse. Bonus points if the "legit" booster site add their abuse contact info as header or user-agent.


> all of the incoming requests would be served on your domain name

No, most (?) DDoS attacks aren’t botnets sending HTTP requests directly, those would have terrible throughput and be trivial to mitigate. Instead they use amplification from third party servers where you send a small packet to get a big packet in response, mistakenly routed to the victim. There’s usually no way to attach a Referer to those, most of which aren’t even HTTP-based.


Because you don’t control my domain. Suppose I own joespizza.com and you want to attack it using a supposedly legit load-testing service. You would go to the service, sign up, enter joespizza.com/order as the page you want to test, and then be given a random string to add to a TXT record on joespizza.com. You don’t own joespizza.com, and you haven’t compromised my hosting service account, so you can’t create a legit DNS record. The service refuses to stress test my site, and you move on to the next thing.

How else do you imagine this working?


I imagine that I would register tedspizza.com, create a TXT record that says blast away, and set the A record to point to the same IP as joespizza.com.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: