[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

Sebastian Castro sebastian at nzrs.net.nz
Thu Sep 27 20:11:25 UTC 2012


On 28/09/12 05:19, Phil Pennock wrote:
> On 2012-09-27 at 12:23 -0400, Olafur Gudmundsson wrote:
>> Similarly we should think about approaches that operators/implementors 
>> can take to limit their vulnerability
> 
> Three crazy ideas, not tried because so far I've been lucky enough to
> not get a serious DoS; throwing them out to see what sticks, past the
> mockery.
> 
> (1)
> Log queries in-memory only, with a ring buffer, so that if a reader
> doesn't keep up, it loses those queries; in high enough volume, log
> statistical samples.
> 
> Experiment to see if OS fingerprinting yields useful signal on DNS UDP
> queries (I suspect not?).

^^^ It doesn't work at all. I tested that while at CAIDA in order to
qualify the sources of traffic hitting the root servers. Most of the OS
fingerprinting is based on variations of the TCP handshake flags + other
TCP elements. I used lots and lots of packets against a passive OS
fingerprinting code and the results were useless.


Kind Regards,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535



More information about the dns-operations mailing list