[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Dobbins, Roland rdobbins at arbor.net
Mon Jun 27 04:30:30 UTC 2011

On Jun 24, 2011, at 10:27 PM, Hauke Lampe wrote:

> I don't think authoritative servers can do much against amplification attacks, except maybe not answering to queries for unknown zones instead of refusing it.

There are in fact ways to deal with this, but they involve making use of mitigation tools such as S/RTBH, flowspec, and/or IDMS.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde

More information about the dns-operations mailing list