[dns-operations] First experiments with DNS dampening to fight amplification attacks

paul vixie paul at redbarn.org
Fri Sep 28 15:07:24 UTC 2012


On 9/28/2012 2:48 PM, Mark Andrews wrote:
> In message <alpine.LSU.2.00.1209281541070.1469 at hermes-1.csi.cam.ac.uk>, Tony Finch writes:
>> Mark Andrews <marka at isc.org> wrote:
>>> Server cookies are the way to go though I would add timestamps so
>>> that server secrets don't need to be changed.  The time stamp would
>>> have to be within X seconds of the servers current concept of time
>>> or it will be treated as a bad cookie.  The time would be concatenated
>>> to the rest of the data to be hashed.
>> Are you referring to this?
>> http://tools.ietf.org/html/draft-eastlake-dnsext-cookies
> Yes.  It's a reasonable way to identify non-spoofed traffic which
> means you can apply filtering techiques to the rest of the traffic
> which will be a mix of spoofed and non-spoofed.

i don't agree. there's no way to tell the difference between a client
who hasn't upgraded, vs. a client who has downgraded or is behind a NAT
box, vs. a spoofer. therefore we will not be able to drop non-cookied
queries even while under attacks which spoof the same netblock as we get
a non-cookied query from.

see RFC 6013, as earlier summarized in ;login:
(http://static.usenix.org/publications/login/2009-12/openpdfs/metzger.pdf),
for another approach to fixing not just DNS but HTTP state management.

paul

-- 
"I suspect I'm not known as a font of optimism." (VJS, 2012)




More information about the dns-operations mailing list