[dns-operations] Another whitepaper on DDOS

Vernon Schryver vjs at rhyolite.com
Thu Feb 21 18:47:53 UTC 2013

> From: Jeff Wright <jwright at isc.org>

> http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF

On one hand, it
  - gets significant bits of history wrong, such as the claim that
     SSL had nothing to do with authentication and authorization
     until EV certificates.  If confidentiality ("encryption") were
     the sole point of SSL, then SSL would have gone straight to a
     DH exchange and done no public key computing.  EV would not be
     a minor elaboration of the old, widely used PKI.  (page 15)

  - urges the use of "DNS Authentication."  I guess "DNS authentication
     [would work] to ensure that source queries to a DNS server ...
     are in fact coming from a valid host" if you can find and deploy
     DNS stub resolvers that support DNS authentication and then deploy
     them.  I think that's practically impossible for the forseeable
     futgure.  It might instead be referring to ACLs in servers and
     relying on IP source addresses as authentication tokens, but that
     would be almost as lame.  (page 6)

  - advocates naive and so bad query rate limiting and separate
     NXDOMAIN rate limiting.  It should have mentioned RRL.  (page 6)

  - advoctees applying RexEx's and packet capture for no purpose.
     Looking for text in DNS packets will find lots of it separated
     by what look like ASCII control characters.  Unless you have a
     specific target, you're unlikely to do more than waste time by
     manually staring at packets for any port.  (page 6)

On the other hand, those are all minor nits and mostly reflect
my prejudiced and overly strict reading.

Overall, I found it innocuous and entertaining.
If it seems revolutionary or eye opening and you have relevant
responsibilities, then you urgently need more than any such document
can offer.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list