[dns-operations] Limiting DNSSEC-based amplification attacks
bert hubert
bert.hubert at netherlabs.nl
Sat Jun 25 15:42:03 UTC 2011
On Sat, Jun 25, 2011 at 03:13:01PM +0100, Jim Reid wrote:
> IIUC some implementations -- PowerDNS? -- already keep a cache in
> wire format of recent answers they've sent. So it would be a
Indeed.
> no-brainer to extend that to do rate limiting. However it's not
True.
> clear to me if the overhead of that cache maintenance and lookup
> would be worth it. The bad guy would probably still be capable of
While I'm all for open source etc, it might well be that battling DoS
attacks is best performed out of sight. As has been discussed here, any
strategy employed has a viable counterstrategy.
"Stock" anti-DoS strategies might well be less efficient than undisclosed
anti-DoS strategies.
In that sense what would be required is more of a toolbox than a set
strategy.
Bert
More information about the dns-operations
mailing list