DNS Amplification Attacks... and a trivial proposal

Ronald F. Guilmette rfg at tristatelogic.com
Thu Jun 13 21:01:20 UTC 2013


In message <51B991F7.9070706 at imperial.ac.uk>, 
Phil Mayers <p.mayers at imperial.ac.uk> wrote:

>On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
>> 2)  Has anyone ever proposed adding to the DNS protocol something vaguely
>> reminicent of the old ICMP Source Quench?  If so, what became of that
>> proposal?
>...
>> Basically, the whole idea is just simply to allow a victim to switch to
>> "safe TCP only mode" with all of the intermediaries that are participating
>
>The problem with that idea is that it needs software updates on both the 
>reflecting DNS server and the victim.

Yes.

Is there _any_ even remotely viable proposal for ridding the world of these
damn DDoS amplification attacks that _doesn't_ require either software
updates or worse, hardware updates?

The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?  The introduction of that change also "needed software
updates" on both the sending and receiving side.  (That was accomplished
it seems.)  Should anyone be in the lest bit surprised to learn that a
widespread software update might be necessary in order to counteract the
clear (and for some people/sites/companies, catastrophic) effect of an
earilier software update?

>It also seems to require keeping a lot of soft state in the endpoints.

Please define "a lot".

You and I apparently have differing definitions of that term.


Regards,
rfg



More information about the bind-users mailing list