[dns-operations] First experiments with DNS dampening to fight amplification attacks
Michael Hoskins (michoski)
michoski at cisco.com
Thu Oct 25 17:59:47 UTC 2012
-----Original Message-----
From: paul vixie <paul at redbarn.org>
Date: Thursday, October 25, 2012 1:48 PM
To: Mike Hoskins <michoski at cisco.com>
Cc: Lutz Donnerhacke <lutz at iks-jena.de>,
"dns-operations at mail.dns-oarc.net" <dns-operations at mail.dns-oarc.net>
Subject: Re: [dns-operations] First experiments with DNS dampening to
fight amplification attacks
>On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
>> ...
>>
>> Seems to show clever hacks can be useful (looks good for roots), but
>>don't
>> generally work against real hackers who typically read lists (and source
>> code). :-)
>
>until cisco makes source address validation the default, we have no
>tools available to thwart ddos, other than clever hacks. all of which
>will have serious limitations in the face of a determined attacker.
>however, there are not very many determined attackers.
Fair enough. I got sucked into the mother ship via acquisition, but come
from a past ISP/NSP background and truly appreciate this nudge. The
wheels of big enterprise often turn slowly (some times for good reason),
and I'm a lowly peon, but I will see if I can escalate this internally
considering the source.
We used to ship PIX/ASA fixups that broke EDNS by default, and the latest
ASA policy maps don't...so I'm cautiously optimistic we can do our part.
https://supportforums.cisco.com/thread/2013390
http://www.cisco.com/web/about/security/intelligence/dnssec.html
(The latter points directly to the OARC response size test, great tool.)
More information about the dns-operations
mailing list