[dns-operations] First experiments with DNS dampening to fight amplification attacks

Matthäus Wander matthaeus.wander at uni-due.de
Fri Sep 28 15:16:03 UTC 2012


* bert hubert [2012-09-28 09:44]:
> Hmmm for authoritative servers, we might also emit a CNAME "challenge". This
> would be a needless and semantically null transition, but only a bona fide
> resolver will come back to follow the CNAME trail.
>
> This allows us to test for two-way communications without using truncated
> packets or TCP.
>
> We could encode the encrypt the correct destination in the CNAME, for A and
> AAAA this is trivial. If you come back to resolve
> encoded-12.32.43.43.attackeddomain.com, you get 12.32.43.43 etc. For extra
> resilience encrypt it.

There has been recently a patent granted with this method:
http://www.freepatentsonline.com/8261351.html

Though they don't use it do decide about blocking, but use the CNAME
challenge on every query, still providing a small amplification. This
comes at the risk of running into resolver issues with NS or MX records...

Regards,
Matt

-- 
Universität Duisburg-Essen
Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120928/0882c82c/attachment.bin>


More information about the dns-operations mailing list