A Question Regarding DNS Reflection Attacks

[berning...@gmail.com]

Hello, I am a student at Michigan State University studying computer science. I have an assignment in my intro to computer security course to perform a DNS amplification attack using a single packet. Ironically, it took me longer than it should have to complete the assignment because Google's DNS server is configured to prevent amplification attacks (I had to test my code using a different DNS server!). Nonetheless, after the assignment was completed, I wanted to perform the full attack on myself out of intrigue. Based off of what I've read, Google's DNS server is configured to prevent denial of service as well as amplification, so in theory, launching this attack shouldn't cause any harm. However, I would never perform such a task without permission from the owners of the DNS server. I couldn't find a proper place to ask this question, so I'm hoping this is where I would do that. Thank you for your time.

[Alex Dupuy]

Hi Avery,

Thanks for your post, which you sent to the right place (and from the right place as well, I appreciate your candor and desire to do the right thing). Unfortunately I'm afraid that nobody reading it would be able to give you what you want, which is an okay to launch a reflection attack against yourself using Google Public DNS.

There are internal teams at Google that do this sort of thing, and I hope that you might be interested in applying for a position at Google working with one of them in a year or two. The security teams probably don't do internships, but there might be an opportunity with an SRE team where you could do internal load testing or maybe abuse/attack measurement.

Someone I know who used to work on one of those security teams, but has since left Google is @IAmMandatory; he might be better able to give you advice about what is and is not appropriate in ethical hacking. I would guess that brute force exploits like a DNS reflection attack would be very unlikely to earn a Google bug bounty as they would at most just be measuring parameters about where the anti-denial-of-service protections kick in, not revealing unknown vulnerabilities.

I hope this unsatisfactory answer might be better than the silence of indifference that is sometimes the fate of posts on this forum, and I wish you the best of luck in your studies.

@alex

[berning...@gmail.com]

Thank you for your reply! I will definitely look into Google's SRE positions, and I sincerely appreciate the feedback. Hopefully I could see this sort of concept in real-time someday.