[dns-operations] DoS with amplification: yet another funny Unix script

Phil Regnauld regnauld at nsrc.org
Tue Sep 11 19:45:57 UTC 2012


Colm MacCárthaigh (colm) writes:
> 
> With the greatest of respect; that thinking is itself simplistic.
> Where I work we concentrate on writing very good firewalls. Sometimes
> these rules even have to parse DNS, just as the DNS server must ...
> which causes duplication of work. We do this for several reasons;

	[valid arguments trimmed]

> During real attacks, if a packet makes it to the dns server, the game is
> already lost.

	If you've got a cluster of anycast boxes behind a set of stateful
	firewalls, chances are you'll run out of states way before you exhaust
	what the DNS farm is capable of pushing out. At least that's what I've
	seen. Common wisdom is to let the DNS server deal with it, but I don't
	work where you work :) 

	Cheers,
	Phil



More information about the dns-operations mailing list