[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
David Conrad
drc at virtualized.org
Fri Jun 24 21:34:42 UTC 2011
On Jun 24, 2011, at 10:53 AM, John Kristoff wrote:
>> Anyhow, the point is that rate limiting can be helpful in reducing
>> the threat of (some of the) amplification attacks. What's the
>> alternative?
>
> A truncated answer is one.
Hmm. TC (with syn cookies) after qps from a single source passes some threshold would deal with spoofed source addresses, but I'd think it'd be a bit scary since TCP hurts more on a per-query basis. Wouldn't this set the auth server up for being DoS'd (at least for TCP service)? Maybe that's less worrisome?
Regards,
-drc
More information about the dns-operations
mailing list