[dns-operations] Amplification attack today ?

Lutz Donnerhacke lutz at iks-jena.de
Tue Mar 6 09:42:39 UTC 2007

* Michael Monnerie wrote:
> No problem for me. Lets wait until someone really manages to use open 
> relays for a dDoS against root servers, and then it will be interesting 
> to see which solutions will be done. I guess implementing more root 
> servers is the only solution then.

Every centralized structure is vulnerable to DDoS. The only possible
solution is to decentralize, i.e. set up DNS root servers on each ISP and
limit the rate of cross AS DNS queries to root servers. A practical solution
is anycast: You can't attack a foreign server.

BTW: DDoS has nothing to do with open recursive resolvers.

More information about the dns-operations mailing list