[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

David Conrad drc at virtualized.org
Fri Jun 24 21:34:42 UTC 2011

On Jun 24, 2011, at 10:53 AM, John Kristoff wrote:
>> Anyhow, the point is that rate limiting can be helpful in reducing
>> the threat of (some of the) amplification attacks. What's the
>> alternative?
> A truncated answer is one.

Hmm. TC (with syn cookies) after qps from a single source passes some threshold would deal with spoofed source addresses, but I'd think it'd be a bit scary since TCP hurts more on a per-query basis.  Wouldn't this set the auth server up for being DoS'd (at least for TCP service)?  Maybe that's less worrisome?


More information about the dns-operations mailing list