[dns-operations] First experiments with DNS dampening to fight amplification attacks

Ralph Babel rbabel at babylon.pfm-mainz.de
Fri Oct 26 11:58:00 UTC 2012

Paul Vixie wrote:

> until cisco makes source address validation the default, we have
> no tools available to thwart ddos, other than clever hacks.

While we may not have any tools to fight DDoS per se, we do
have one to combat _amplification_ attacks: it's called "TCP".

Yes, it does come at a cost, but no one said we could cut
corners forever, be it by using UDP DNS outside LANs or by
rate-limiting unvalidated source addresses. (Now why does
this remind me of the DNSSEC debate?)

"There's no easy way out, there's no shortcut home ..."

More information about the dns-operations mailing list