[dns-operations] First experiments with DNS dampening to fight amplification attacks
dmiller at tiggee.com
Thu Oct 25 20:16:52 UTC 2012
On 10/25/2012 1:48 PM, paul vixie wrote:
> On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
>> Seems to show clever hacks can be useful (looks good for roots), but don't
>> generally work against real hackers who typically read lists (and source
>> code). :-)
> until cisco makes source address validation the default, we have no
> tools available to thwart ddos, other than clever hacks. all of which
> will have serious limitations in the face of a determined attacker.
> however, there are not very many determined attackers.
> michael, please send diffs to
> <http://ss.vix.com/~vixie/isc-tn-2012-1.txt> section 5, which currently
> 5 - Attacker Behaviour
> 5.1. A forged-source reflective amplifying attacker who wants to be
> successful will either have to select authority servers who do not
> practice rate limiting yet, or will have to select a large number of
> authority servers and use round robin to distribute the attack flows.
> Each authority server will have to be asked a question within one of
> that server's zones chosen at random in order to get an amplification
> effect. An attacker would do well to select DNSSEC-signed zones and to
> use DNSSEC signalling in their forged queries to maximize response size.
> This will be more effective than QTYPE ANY queries which are often
> blocked altogether due to their diagnostic rather than operational
Is it actually the case that QTYPE ANY queries are often blocked altogether?
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
More information about the dns-operations