[dns-operations] Configurable TC=1?

Paul Vixie paul at redbarn.org
Mon Dec 21 05:04:17 UTC 2015


On Monday, December 21, 2015 05:33:00 AM Ralph Babel wrote:
> Paul Vixie wrote:
> > this won't help all victims of dns amplification
> > attacks, since many of the congestion points are
> > measured in PPS not BPS.
> 
> One response packet for one query packet doesn't
> sound like much of a PPS amplification to me.

reflection is all that's required when the bottleneck is PPS.

> If PPS is a victim's bottleneck, then attackers might
> just as well use their primary bandwidth without any
> type of reflection (disregarding fragmentation, which
> can already be taken care of by "max-udp-size" today).

ddos traceback often relies on hop by hop utilization curve matching. thus, reflection is useful 
for hiding attack sources, due to signal dispersion.

we need attenuation in all reflectors, measured in both BPS and PPS.

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151220/689dba7e/attachment.html>


More information about the dns-operations mailing list