[dns-operations] DNS reflection useful without amplification?

Paul Vixie paul at redbarn.org
Wed Sep 7 08:23:44 UTC 2016



Mark Andrews wrote:
> Reflection requires more time to trace back to the source.  You have to
> trace from the target to the reflector then from the reflector to the
> initiator.
>
> Reflection increases the number of streams that need to be chased back.

yes.

see also this text:

<< We are ... directly aware of a vast number of routers, switches, 
servers, name servers, firewalls, and other on-path devices whose 
principle bottleneck is packets not bits. That is, these devices might 
be able to receive or forward five hundred megabits per second (500 
Mbit/sec) of large packets but only a fifty megabits bits per second (50 
Mbit/sec) of small packets. This is weak engineering on their part but 
we don't get to judge the manufacturers or the operators of these weak 
devices — we must take them into account when planning our defense. >>

(http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/)

anyone who considers this claim dubious is invited to provide a 
counterclaim with its own justification. a mere claim of dubiousness 
with neither counter-claim nor justiciation is not an example of the 
kind of critical thinking we'll have to use to solve any of the 
internet's security problems. feel free to make your counter-claim as a 
comment on the circle-id article quoted above, if you desire persistence.

-- 
P Vixie



More information about the dns-operations mailing list