[dns-operations] First experiments with DNS dampening to fight amplification attacks

Michael Hoskins (michoski) michoski at cisco.com
Thu Oct 25 17:59:47 UTC 2012

-----Original Message-----

From: paul vixie <paul at redbarn.org>
Date: Thursday, October 25, 2012 1:48 PM
To: Mike Hoskins <michoski at cisco.com>
Cc: Lutz Donnerhacke <lutz at iks-jena.de>,
"dns-operations at mail.dns-oarc.net" <dns-operations at mail.dns-oarc.net>
Subject: Re: [dns-operations] First experiments with DNS dampening to
fight amplification attacks

>On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
>> ...
>> Seems to show clever hacks can be useful (looks good for roots), but
>> generally work against real hackers who typically read lists (and source
>> code).  :-)
>until cisco makes source address validation the default, we have no
>tools available to thwart ddos, other than clever hacks. all of which
>will have serious limitations in the face of a determined attacker.
>however, there are not very many determined attackers.

Fair enough.  I got sucked into the mother ship via acquisition, but come
from a past ISP/NSP background and truly appreciate this nudge.  The
wheels of big enterprise often turn slowly (some times for good reason),
and I'm a lowly peon, but I will see if I can escalate this internally
considering the source.

We used to ship PIX/ASA fixups that broke EDNS by default, and the latest
ASA policy maps don't...so I'm cautiously optimistic we can do our part.



(The latter points directly to the OARC response size test, great tool.)

More information about the dns-operations mailing list