[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Jared Mauch
jared at puck.nether.net
Wed Sep 7 13:00:06 UTC 2016
> On Sep 7, 2016, at 8:31 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
>
> Can confirm - ANY and lots of TXT responses are a very strong, useful signal when it comes to sorting the wheat from the chaff on the reflector/amplifier ---> target leg of DNS reflection/amplification attacks.
I’d be interested in seeing software provide a more granular option than any-to-tcp so we can do it based on response size, eg: (if over 128 bytes, send TC=1).
lots of CPE or embedded dnsmasq stuff doesn’t handle TC facing stub well.
- Jared
More information about the dns-operations
mailing list