[dns-operations] Amplification attack today ?
paul at vix.com
Fri Mar 2 15:13:49 UTC 2007
> If I understand the proposal well, the purpose of the blocking by the
> root-servers is to make the "open recursors" aware of the fact that they
> are 'open' by denying them service. So all this work would be a public
that's my understanding also.
> Still John's argument holds. It is not realistic for the root-servers to
> query the DNS 40.000 times per second to see if it should deny service to
> the resolver contacting it. Even when it would be possible to maintain the
> blacklist locally I do not think the root-servers should be playing
> internet police.
it would have to be done by bgp blackholes rather than dns blackholes. and
since it's a public service rather than a real time operational shield, there
could be a simple rotation of "1000 at a time", perhaps changed every hour or
> And just as with mail-blacklists the folk that are the false positives
> will suffer badly.
> I am ready to dismiss this idea.
as a rootop, so am i. but as an operator of the vix.com server, i'd be
willing to consider it. on the internet, there is no growth without pain.
More information about the dns-operations