[dns-operations] on amplification, udp, and dns
Edward Lewis
Ed.Lewis at neustar.biz
Thu Mar 23 19:01:12 UTC 2006
Sometimes it seems to me that the only way to prevent DNS's use of
UDP as a tool for amplification is to require that queries be almost
as big, or perhaps even bigger than, responses.
Closing down open recursive servers only shuts down one amplification
path, but one that today is significant because the number of open
resolvers out there is much larger than the number of authoritative
servers with large data sets.
But if DNSSEC (a desirable thing to quite a few folks) gets to
widespread deployment, then there will be many authoritative servers
that will be available for amplification services. What a dilemma,
improving the security of DNS makes DNS a more valuable tool for DDoS.
EDNS0 opens up the message size is needed for DNSSEC, IPv6 glue, and
then NATPR record in ENUM. But then again, this improvement
facilitates amplification.
This does not make me happy.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Nothin' more exciting than going to the printer to watch the toner drain...
More information about the dns-operations
mailing list