[dns-operations] First experiments with DNS dampening to fight amplification attacks

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Sep 27 08:22:48 UTC 2012

On Mon, Sep 24, 2012 at 02:48:38PM +0000,
 Lutz Donnerhacke <lutz at iks-jena.de> wrote 
 a message of 16 lines which said:

> Please have a look at http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening

The basic security issue of DNS-based DoS is that the IP address of
the attacker is forged. There are therefore two classes of solutions:

1) Trying to authenticate the source address (TSIG, EDNS-ping, DNS
cookies, force TCP, etc). Then you can apply reputation-based systems.

2) Trying to filter/ratelimit/harass based on the contents of the
packets, not on the source address. This is what "ANY
bigdomain.example" filters do, for instance.

You use a 3rd method, applying a reputation (this IP did bad things)
on a forged address. This is bad, for the reasons explained by Vernon
Schryver (with dampening, you can kill any DNS client by pretending to
be it and attacking a server).

[As you can see, I agree with most Paul Vixie's remarks.]

More information about the dns-operations mailing list