[dns-operations] Tracking the DNS amplification attacks
Florian Weimer
fw at deneb.enyo.de
Sun Jan 25 11:43:25 UTC 2009
* Paul Vixie:
> RFC 1035 4.2.2 is just such a stateful resource attack. there is no
> way to protect, nor any reason to depend upon, TCP/53. the
> initiator of the session ("client") also initiates close, whereas
> the responder ("server") has a two minute timeout. so anyone who
> wants a TCP/53 responder to become unavailable can do it with a one
> line perl script or a few hundred half-open connections.
There is no inherent difficulty in securing TCP applications against
low-bandwidth (!) attacks. It's just that application and TCP stack
writers have decided not to do anything about it, assuming that
attackers would switch to high-bandwidth attacks if the vulnerability
were addressed.
More information about the dns-operations
mailing list