[116517] in North American Network Operators' Group
Re: DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Aug 6 02:52:10 2009
To: nanog@merit.edu
From: Paul Vixie <vixie@isc.org>
Date: Thu, 06 Aug 2009 06:51:24 +0000
In-Reply-To: <75cb24520908051853t6c0f05d3l94c404d3227d191c@mail.gmail.com>
(Christopher Morrow's message of "Wed\,
5 Aug 2009 21\:53\:44 -0400")
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Christopher Morrow <morrowc.lists@gmail.com> writes:
> how does SCTP ensure against spoofed or reflected attacks?
there is no server side protocol control block required in SCTP. someone
sends you a "create association" request, you send back a "ok, here's your
cookie" and you're done until/unless they come back and say "ok, here's my
cookie, and here's my DNS request." so a spoofer doesn't get a cookie and
a reflector doesn't burden a server any more than a ddos would do.
because of the extra round trips nec'y to create an SCTP "association" (for
which you can think, lightweight TCP-like session-like), it's going to be
nec'y to leave associations in place between iterative caches and authority
servers, and in place between stubs and iterative caches. however, because
the state is mostly on the client side, a server with associations open to
millions of clients at the same time is actually no big deal.
--
Paul Vixie
KI6YSY
