[dns-operations] First experiments with DNS dampening to fight amplification attacks

David Miller dmiller at tiggee.com
Thu Oct 25 20:16:52 UTC 2012

On 10/25/2012 1:48 PM, paul vixie wrote:
> On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
>> ...
>> Seems to show clever hacks can be useful (looks good for roots), but don't
>> generally work against real hackers who typically read lists (and source
>> code).  :-)
> until cisco makes source address validation the default, we have no
> tools available to thwart ddos, other than clever hacks. all of which
> will have serious limitations in the face of a determined attacker.
> however, there are not very many determined attackers.
> michael, please send diffs to
> <http://ss.vix.com/~vixie/isc-tn-2012-1.txt> section 5, which currently
> reads:
>    5 - Attacker Behaviour
>    5.1. A forged-source reflective amplifying attacker who wants to be
>    successful will either have to select authority servers who do not
>    practice rate limiting yet, or will have to select a large number of
>    authority servers and use round robin to distribute the attack flows.
>    Each authority server will have to be asked a question within one of
>    that server's zones chosen at random in order to get an amplification
>    effect. An attacker would do well to select DNSSEC-signed zones and to
>    use DNSSEC signalling in their forged queries to maximize response size.
>    This will be more effective than QTYPE ANY queries which are often
>    blocked altogether due to their diagnostic rather than operational
>    purpose.

Is it actually the case that QTYPE ANY queries are often blocked altogether?

> thanks,
> paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list