[dns-operations] Tracking the DNS amplification attacks

Florian Weimer fw at deneb.enyo.de
Sun Jan 25 11:43:25 UTC 2009

* Paul Vixie:

> RFC 1035 4.2.2 is just such a stateful resource attack.  there is no
> way to protect, nor any reason to depend upon, TCP/53.  the
> initiator of the session ("client") also initiates close, whereas
> the responder ("server") has a two minute timeout.  so anyone who
> wants a TCP/53 responder to become unavailable can do it with a one
> line perl script or a few hundred half-open connections.

There is no inherent difficulty in securing TCP applications against
low-bandwidth (!) attacks.  It's just that application and TCP stack
writers have decided not to do anything about it, assuming that
attackers would switch to high-bandwidth attacks if the vulnerability
were addressed.

More information about the dns-operations mailing list