[dns-operations] First experiments with DNS dampening to fight amplification attacks
paul at redbarn.org
Thu Oct 25 17:48:35 UTC 2012
On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
> Seems to show clever hacks can be useful (looks good for roots), but don't
> generally work against real hackers who typically read lists (and source
> code). :-)
until cisco makes source address validation the default, we have no
tools available to thwart ddos, other than clever hacks. all of which
will have serious limitations in the face of a determined attacker.
however, there are not very many determined attackers.
michael, please send diffs to
<http://ss.vix.com/~vixie/isc-tn-2012-1.txt> section 5, which currently
5 - Attacker Behaviour
5.1. A forged-source reflective amplifying attacker who wants to be
successful will either have to select authority servers who do not
practice rate limiting yet, or will have to select a large number of
authority servers and use round robin to distribute the attack flows.
Each authority server will have to be asked a question within one of
that server's zones chosen at random in order to get an amplification
effect. An attacker would do well to select DNSSEC-signed zones and to
use DNSSEC signalling in their forged queries to maximize response size.
This will be more effective than QTYPE ANY queries which are often
blocked altogether due to their diagnostic rather than operational
More information about the dns-operations