[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

David Conrad drc at virtualized.org
Fri Jun 24 23:20:53 UTC 2011


On Jun 24, 2011, at 12:47 PM, Dobbins, Roland wrote:
> On Jun 24, 2011, at 6:21 PM, David Conrad wrote:
>> But that would defeat the amplification attack, no?
> Actually, all the attacker has to do is to vary the source port of each query in order to overwhelm stateful inspection devices.

Depends on the stateful inspection being done.  The model I have in mind doesn't care about the source port.

I'm sensing this discussion has (long ago?) passed reached the point of diminishing returns.  I'll simply say that I believe rate limiting is a viable mitigation for amplification attacks and that I believe there are ways that it could reasonably be implemented.  I'll put that on my list of things to implement (:-)).

Regards,
-drc




More information about the dns-operations mailing list