[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

John Kristoff jtk at cymru.com
Wed Jun 22 13:54:01 UTC 2011

On Wed, 22 Jun 2011 12:27:12 +0000
"Dobbins, Roland" <rdobbins at arbor.net> wrote:

> > Then, what do you suggest?
> What I already posted - query/response analysis to be used in
> selective filtering/answer poisoning or IDMS.

As long as there is the possibility to overwhelm the link capacity of
the server with well-formed messages, filtering at the receiver edge
will be of limited, if any, help.

Rodney and I co-authored a little known paper entitled "Botnets and
Packet Flooding DDoS Attcks on the Domain Name System" that outlined
a few mitigation strategies that were in common use at the time of
writing.  The strategies discussed include the following:

  * capacity
  * anycast DNS
  * local node distribution
  * victim separation
  * filtering and black holes
  * scrubbers and TCP forcing gear
  * upstream and community cooperation
  * botnet infiltration and mitigation
  * calling the cops

There may be more, but in my experience, a well designed packet
flooding attack should be minimally be met by an equally well designed
anycast implementation and cooperative upstreams.  See the paper for
additional details.


More information about the dns-operations mailing list