[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Jun 22 14:27:31 UTC 2011


On Wed, Jun 22, 2011 at 08:54:01AM -0500,
 John Kristoff <jtk at cymru.com> wrote 
 a message of 40 lines which said:

> As long as there is the possibility to overwhelm the link capacity
> of the server with well-formed messages, filtering at the receiver
> edge will be of limited, if any, help.

I had the feeling that Roland Dobbins was suggesting to filter on the
relay (the authoritative name server). This is certainly what I was
asking for: mitigation techniques, not for the victim, but for me, the
potential relay.
 
>   * capacity
>   * anycast DNS

In the case of the specific attack described here, capacity *increase*
the risk because it makes the DNS hoster a more interesting relay for
the attacker.




More information about the dns-operations mailing list