[116491] in North American Network Operators' Group
Re: DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Aug 5 17:55:31 2009
In-Reply-To: <4A79F8A3.9040302@mail-abuse.org>
Date: Wed, 5 Aug 2009 17:49:28 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Douglas Otis <dotis@mail-abuse.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Aug 5, 2009 at 5:24 PM, Douglas Otis<dotis@mail-abuse.org> wrote:
> On 8/5/09 11:31 AM, Roland Dobbins wrote:
>>
>> On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
>>
>>> Having major providers support the SCTP option will mitigate disruption=
s
>>> caused by DNS DDoS attacks using less resources.
>>
>> Can you elaborate on this (or are you referring to removing the spoofing
>> vector?)?
>
> SCTP is able to simultaneously exchange chunks (DNS messages) over an
> association. =A0Initialization of associations can offer alternative serv=
ers
> for immediate fail-over, which might be seen as means to arrange anycast
> style redundancy. =A0Unlike TCP, resource commitments are only retained w=
ithin
> the cookies exchanged. =A0This avoids consumption of resources for tracki=
ng
> transaction commitments for what might be spoofed sources. =A0Confirmatio=
n of
> the small cookie also offers protection against reflected attacks by spoo=
fed
> sources. =A0In addition to source validation, the 32 bit verification tag=
and
> TSN would add a significant amount of entropy to the DNS transaction ID.
>
> The SCTP stack is able to perform the housekeeping needed to allow
> associations to persist beyond single transaction, nor would there be a n=
eed
> to push partial packets, as is needed with TCP.
and state-management seems like it won't be too much of a problem on
that dns server... wait, yes it will.
