[dns-operations] Limiting DNSSEC-based amplification attacks

bert hubert bert.hubert at netherlabs.nl
Sat Jun 25 15:42:03 UTC 2011


On Sat, Jun 25, 2011 at 03:13:01PM +0100, Jim Reid wrote:
> IIUC some implementations -- PowerDNS? -- already keep a cache in
> wire format of recent answers they've sent. So it would be a

Indeed.

> no-brainer to extend that to do rate limiting. However it's not

True.

> clear to me if the overhead of that cache maintenance and lookup
> would be worth it. The bad guy would probably still be capable of

While I'm all for open source etc, it might well be that battling DoS
attacks is best performed out of sight. As has been discussed here, any
strategy employed has a viable counterstrategy.

"Stock" anti-DoS strategies might well be less efficient than undisclosed
anti-DoS strategies.

In that sense what would be required is more of a toolbox than a set
strategy.

	Bert



More information about the dns-operations mailing list