[dns-operations] First experiments with DNS dampening to fight amplification attacks

paul vixie paul at redbarn.org
Thu Oct 25 17:48:35 UTC 2012

On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
> ...
> Seems to show clever hacks can be useful (looks good for roots), but don't
> generally work against real hackers who typically read lists (and source
> code).  :-)

until cisco makes source address validation the default, we have no
tools available to thwart ddos, other than clever hacks. all of which
will have serious limitations in the face of a determined attacker.
however, there are not very many determined attackers.

michael, please send diffs to
<http://ss.vix.com/~vixie/isc-tn-2012-1.txt> section 5, which currently

   5 - Attacker Behaviour

   5.1. A forged-source reflective amplifying attacker who wants to be
   successful will either have to select authority servers who do not
   practice rate limiting yet, or will have to select a large number of
   authority servers and use round robin to distribute the attack flows.
   Each authority server will have to be asked a question within one of
   that server's zones chosen at random in order to get an amplification
   effect. An attacker would do well to select DNSSEC-signed zones and to
   use DNSSEC signalling in their forged queries to maximize response size.
   This will be more effective than QTYPE ANY queries which are often
   blocked altogether due to their diagnostic rather than operational



More information about the dns-operations mailing list