[dns-operations] First experiments with DNS dampening to fight amplification attacks
rbabel at babylon.pfm-mainz.de
Fri Oct 26 11:58:00 UTC 2012
Paul Vixie wrote:
> until cisco makes source address validation the default, we have
> no tools available to thwart ddos, other than clever hacks.
While we may not have any tools to fight DDoS per se, we do
have one to combat _amplification_ attacks: it's called "TCP".
Yes, it does come at a cost, but no one said we could cut
corners forever, be it by using UDP DNS outside LANs or by
rate-limiting unvalidated source addresses. (Now why does
this remind me of the DNSSEC debate?)
"There's no easy way out, there's no shortcut home ..."
More information about the dns-operations