[dns-operations] Configurable TC=1?
Paul Vixie
paul at redbarn.org
Wed Dec 23 18:26:16 UTC 2015
On Wednesday, December 23, 2015 10:07:46 AM Ralf Weber wrote:
> Moin!
Gack!
> On 21 Dec 2015, at 22:58, Paul Vixie wrote:
> > the TXT response for nether.net is 306 octets. that's 5X amplification
> > factor (BPS), which is
> > relatively common since there is an SPF RR there. qtype=ANY is not
> > required for a successful
> > amplification attack against that authority server, so if it stops
> > working, i would expect the
> > bad guys to simply "adapt".
>
> Could be, but so far most amplification has been using ANY or straight
> lots of (>250) A records, which gives the same result. Seems like there
> are more script kiddies out there than intelligent attackers, so you
> need a way to defend against them.
if your goal is to educate and motivate and improve the breed of attackers, then low-end
solutions which only require a one line code change on their part and which preserve the rest
of their approach intact, are right for you.
that is not my goal. i want to make dns hard enough to use for reflection that the attacker has
to retool and go to some other protocol. that means attenuation at both the BPS and PPS
level. and it means no RR type filtering.
i have no business interest in a long dance with dns-related attackers. i want them gone. they
can use billions of TCP responders to get 5X to 20X amplification at both the BPS and PPS
level. let's force that outcome.
--
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151223/2fb7c38d/attachment.html>
More information about the dns-operations
mailing list