[dns-operations] Configurable TC=1?

Paul Vixie paul at redbarn.org
Wed Dec 23 18:26:16 UTC 2015


On Wednesday, December 23, 2015 10:07:46 AM Ralf Weber wrote:
> Moin!

Gack!

> On 21 Dec 2015, at 22:58, Paul Vixie wrote:
> > the TXT response for nether.net is 306 octets. that's 5X amplification
> > factor (BPS), which is
> > relatively common since there is an SPF RR there. qtype=ANY is not
> > required for a successful
> > amplification attack against that authority server, so if it stops
> > working, i would expect the
> > bad guys to simply "adapt".
> 
> Could be, but so far most amplification has been using ANY or straight
> lots of (>250) A records, which gives the same result. Seems like there
> are more script kiddies out there than intelligent attackers, so you
> need a way to defend against them.

if your goal is to educate and motivate and improve the breed of attackers, then low-end 
solutions which only require a one line code change on their part and which preserve the rest 
of their approach intact, are right for you.

that is not my goal. i want to make dns hard enough to use for reflection that the attacker has 
to retool and go to some other protocol. that means attenuation at both the BPS and PPS 
level. and it means no RR type filtering.

i have no business interest in a long dance with dns-related attackers. i want them gone. they 
can use billions of TCP responders to get 5X to 20X amplification at both the BPS and PPS 
level. let's force that outcome.

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151223/2fb7c38d/attachment.html>


More information about the dns-operations mailing list