[dns-operations] First experiments with DNS dampening to fight amplification attacks
David Miller
dmiller at tiggee.com
Thu Oct 25 20:16:52 UTC 2012
On 10/25/2012 1:48 PM, paul vixie wrote:
> On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
>> ...
>>
>> Seems to show clever hacks can be useful (looks good for roots), but don't
>> generally work against real hackers who typically read lists (and source
>> code). :-)
>
> until cisco makes source address validation the default, we have no
> tools available to thwart ddos, other than clever hacks. all of which
> will have serious limitations in the face of a determined attacker.
> however, there are not very many determined attackers.
>
> michael, please send diffs to
> <http://ss.vix.com/~vixie/isc-tn-2012-1.txt> section 5, which currently
> reads:
>
> 5 - Attacker Behaviour
>
> 5.1. A forged-source reflective amplifying attacker who wants to be
> successful will either have to select authority servers who do not
> practice rate limiting yet, or will have to select a large number of
> authority servers and use round robin to distribute the attack flows.
> Each authority server will have to be asked a question within one of
> that server's zones chosen at random in order to get an amplification
> effect. An attacker would do well to select DNSSEC-signed zones and to
> use DNSSEC signalling in their forged queries to maximize response size.
> This will be more effective than QTYPE ANY queries which are often
> blocked altogether due to their diagnostic rather than operational
> purpose.
Is it actually the case that QTYPE ANY queries are often blocked altogether?
> thanks,
>
> paul
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
More information about the dns-operations
mailing list