[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

[Stephane Bortzmeyer]

On Fri, Jun 24, 2011 at 05:27:45PM +0200,
 Hauke Lampe <lampe at hauke-lampe.de> wrote 
 a message of 86 lines which said:

> It is a nameserver's job to answer all valid queries as fast as
> possible,

[TLD operator hat firmly on.]

I strongly disagree. An important point of the class of attacks we are
discussing (and several people seem to have mixed it with other
classes, such as dDoS targeted toward the name server operator) is
that the DNS operator is not the target, he is the relay. Thus, it can
be seen as an _accomplice_ of the attacker. IMHO, the DNS operator has
the responsability to do something.

> filling as much of the client's advertised buffer size as necessary.

Since the source IP address is forged, this is a very bad advice. The
DNS operator should try to decrease the throughput, not to increase
it.

> The new pattern asks for "se. ANY ANY" and is also easy to block
> because of the uncommong qtype/qname combination.

The attacker chooses the low-hanging fruit. If few people filter, he
has no motivation to improve his attack. But the past does not speak
for the future: the next attacker may be less lazy.