[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Sep 27 20:07:32 UTC 2012


On Thu, Sep 27, 2012 at 12:23:12PM -0400,
 Olafur Gudmundsson <ogud at ogud.com> wrote 
 a message of 64 lines which said:

> Usually when this happens in a debate that reflects a
> partial/non-shared understanding of the problem.

It may simply means there are inherent contradictions. This is common
in security issues (not only network security).

> Unfortunately by trying to mitigate a) and/or b) we are making c)
> more plausible thus any defensive mechanism must take that into
> account.

I think it is a good example of an inherent contradiction. Engineers
often seek perfect solutions, but, in the world, there are often only
"lesser evils". So, while it is perfectly acceptable to search better
solutions, it is unrealistic to hope we will find a solution without
any secondary effect (witness the fight against spam for a good
illustration).

> Having said this in general I think having more than one defensive
> mechanism is a good thing thus we should be encouraging debate about
> different solutions/techniques and how to improve them.

And also in what conditions to use them. In security, you cannot have
algorithms, since you do not face blind nature but intelligent
beings. Therefore, the good guys will need to have *several* tools in
their toolbox *and* to know when to use this one and when to choose
that one.

For instance, I'm a big fan of rate-limiting ANY requests because it
works fine *today* in *some* attacks but I would never say it is *the*
solution to DNS-based DoS attacks. It is just a tool among others.



More information about the dns-operations mailing list