[dns-operations] First experiments with DNS dampening to fight amplification attacks

paul vixie paul at redbarn.org
Mon Sep 24 17:16:27 UTC 2012

On 9/24/2012 3:24 PM, Lutz Donnerhacke wrote:
> Paul, yes it drops all the responses in dampening state. It does it
> for a very good reason: Even REFUSED messages are enough to run the
> attack.

lutz, that's a huge false positive denial of service vulnerability given
that ip source addresses are trivially forged. see SAC004
(http://www.icann.org/en/committees/security/sac004.txt) for details.

also, we do not generate REFUSED. the meaning of REFUSED is "there is an
ACL on the name server and your ip address is not in it." that signal
would be completely inappropriate in this circumstance.


More information about the dns-operations mailing list