[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Jun 22 14:27:31 UTC 2011
On Wed, Jun 22, 2011 at 08:54:01AM -0500,
John Kristoff <jtk at cymru.com> wrote
a message of 40 lines which said:
> As long as there is the possibility to overwhelm the link capacity
> of the server with well-formed messages, filtering at the receiver
> edge will be of limited, if any, help.
I had the feeling that Roland Dobbins was suggesting to filter on the
relay (the authoritative name server). This is certainly what I was
asking for: mitigation techniques, not for the victim, but for me, the
potential relay.
> * capacity
> * anycast DNS
In the case of the specific attack described here, capacity *increase*
the risk because it makes the DNS hoster a more interesting relay for
the attacker.
More information about the dns-operations
mailing list