[dns-operations] First experiments with DNS dampening to fight amplification attacks
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Sep 27 08:22:48 UTC 2012
On Mon, Sep 24, 2012 at 02:48:38PM +0000,
Lutz Donnerhacke <lutz at iks-jena.de> wrote
a message of 16 lines which said:
> Please have a look at http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
The basic security issue of DNS-based DoS is that the IP address of
the attacker is forged. There are therefore two classes of solutions:
1) Trying to authenticate the source address (TSIG, EDNS-ping, DNS
cookies, force TCP, etc). Then you can apply reputation-based systems.
2) Trying to filter/ratelimit/harass based on the contents of the
packets, not on the source address. This is what "ANY
bigdomain.example" filters do, for instance.
You use a 3rd method, applying a reputation (this IP did bad things)
on a forged address. This is bad, for the reasons explained by Vernon
Schryver (with dampening, you can kill any DNS client by pretending to
be it and attacking a server).
[As you can see, I agree with most Paul Vixie's remarks.]
More information about the dns-operations
mailing list