[dns-operations] Configurable TC=1?
Paul Vixie
paul at redbarn.org
Fri Dec 25 02:09:24 UTC 2015
On Thursday, December 24, 2015 12:22:41 PM Ralf Weber wrote:
> Moin!
Gack!
> My goal is to help people to mitigate attacks. For that I use all of the
> available tools.
every time we use an incrementally just-good-enough tool to stop attackers, we educate
them without demotivating them. please stop. the systemic defects in the internet that make
it insecure include the approach you are describing.
> There are scenarios where RRL just won't work as others have pointed
> out.
no. actually, what's been described are various bypasses that work around RRL, all of which
are far more expensive (in retooling costs) to attackers than shifting to a completely different
protocol (SSDP, ICMP, NTP, or TCP-SYN).
--
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151224/bd5fbc01/attachment.html>
More information about the dns-operations
mailing list