[dns-operations] DoS with amplification: yet another funny Unix script
Colm MacCárthaigh
colm at stdlib.net
Tue Sep 11 20:17:30 UTC 2012
On Tue, Sep 11, 2012 at 12:45 PM, Phil Regnauld <regnauld at nsrc.org> wrote:
>> During real attacks, if a packet makes it to the dns server, the game is
>> already lost.
>
> If you've got a cluster of anycast boxes behind a set of stateful
> firewalls, chances are you'll run out of states way before you exhaust
> what the DNS farm is capable of pushing out. At least that's what I've
> seen. Common wisdom is to let the DNS server deal with it, but I don't
> work where you work :)
Some state is useful, the rate-limit patches we're seeing here are
themselves an example of stateful filtering, but with minimal state.
Other good examples include using counting bloom filters, or
hash-limit targets (effectively the same thing). Enforcing traditional
protocol state; e.g. TCP transmission window enforcement, or UDP
"connection" emulation is definitely unwise.
--
Colm
More information about the dns-operations
mailing list