[dns-operations] DoS with amplification: yet another funny Unix script

Colm MacCárthaigh colm at stdlib.net
Tue Sep 11 20:17:30 UTC 2012

On Tue, Sep 11, 2012 at 12:45 PM, Phil Regnauld <regnauld at nsrc.org> wrote:
>> During real attacks, if a packet makes it to the dns server, the game is
>> already lost.
>         If you've got a cluster of anycast boxes behind a set of stateful
>         firewalls, chances are you'll run out of states way before you exhaust
>         what the DNS farm is capable of pushing out. At least that's what I've
>         seen. Common wisdom is to let the DNS server deal with it, but I don't
>         work where you work :)

Some state is useful, the rate-limit patches we're seeing here are
themselves an example of stateful filtering, but with minimal state.
Other good examples include using counting bloom filters, or
hash-limit targets (effectively the same thing). Enforcing traditional
protocol state; e.g. TCP transmission window enforcement, or UDP
"connection" emulation is definitely unwise.


More information about the dns-operations mailing list