[dns-operations] First experiments with DNS dampening to fight amplification attacks

Florian Weimer fw at deneb.enyo.de
Tue Oct 30 21:37:54 UTC 2012

* Roland Dobbins:

> If the rate-limiting is based upon source IPs, then there's
> potentially a lot of state there.  If the rate-limiting is based
> upon the destination IP, then it guarantees that
> programmatically-generated attack traffic will 'crowd out'
> legitimate requests.

Reflection attacks do not use totally random source addresses, so the
typically state exhaustion vector does not necessarily apply.

(With IPv6, there more bits which could be abused for randomness, but
then, a contradiction between the specification and deployed stacks
make it impossible to serve IPv6 traffic in a stateless fashion, so
the entire discussion is pointless.)

More information about the dns-operations mailing list