DNS Amplification Attacks... and a trivial proposal

Phil Mayers p.mayers at imperial.ac.uk
Thu Jun 13 09:33:43 UTC 2013

On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:

> 1)  If everyone on the planet were to somehow magically and immediately be
> converted over to DNSSEC tomorrow, then would DNS amplification attacks
> become a thing of the past, starting tomorrow?  Does DNSSEC "solve" the
> DNS amplification attack problem?  Or does it have no direct bearing on

No, quite the opposite in fact. By increasing the size of responses, 
DNSSEC arguably makes the amplification problem (slightly) worse.

DNSSEC is a good thing and necessary for other reasons, but it does not 
help amplification attacks.

> 2)  Has anyone ever proposed adding to the DNS protocol something vaguely
> reminicent of the old ICMP Source Quench?  If so, what became of that
> proposal?


> Basically, the whole idea is just simply to allow a victim to switch to
> "safe TCP only mode" with all of the intermediaries that are participating

The problem with that idea is that it needs software updates on both the 
reflecting DNS server and the victim. It also seems to require keeping a 
lot of soft state in the endpoints.

Altogether, it seems easier for everyone to just apply RRL patches, do 
BCP38 and de-peer with people who don't do BCP38.

More information about the bind-users mailing list