DNS Amplification Attacks... and a trivial proposal
Vernon Schryver
vjs at rhyolite.com
Sat Jun 15 00:13:30 UTC 2013
> From: Doug Barton <dougb at dougbarton.us>
> is that (like RRL) your proposal relies on people updating their
> software.
RRL needs only authority and open recursive servers to be updated.
The vast majority of DNS installations are closed recursive and stubb
servers that do not need RRL. (A case could be made for RRL on a
minority of private recursive servers.)
Other ideas that I like such as DNS cookies would need more widespread
changes, which makes enthusiasm for them taxing.
> RRL is actually useful for DDOS
> attacks against the authoritative server itself. There are likely other
> reasons, but those are the most obvious (to me anyway).
That's in the RRL sales story that I've been flogging since before the
first version of the RRL patch, but so far it has been only incidentally
true. Some DNS server operators have reported drastic reductions in
network and CPU load during attacks thanks to RRL, but they were not
the intended victims of the attacks.
Vernon Schryver vjs at rhyolite.com
Please join me in trying not to feed the troll.
More information about the bind-users
mailing list