[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

John Kristoff jtk at cymru.com
Fri Jun 24 17:26:33 UTC 2011


On Fri, 24 Jun 2011 07:19:27 -1000
David Conrad <drc at virtualized.org> wrote:

> In most cases I'm aware of (at least from my root server-ish days),
> the "attack" (which may not be intentional) is sourced from a single
> address.  However, I will admit not having looked at anything shorter.

In my experience, that is only the attack profile I've seen too, but I
don't think we can count on miscreants to conform to past profiles.
There is one bit left in the header to be defined.  Maybe DNS needs it's
own RFC 3514-like definition for the "evil query" bit?  :-)

John



More information about the dns-operations mailing list