[116532] in North American Network Operators' Group
Re: DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Aug 6 10:26:57 2009
In-Reply-To: <g3my6diger.fsf@nsa.vix.com>
Date: Thu, 6 Aug 2009 10:18:11 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Paul Vixie <vixie@isc.org>
Cc: nanog@merit.edu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Aug 6, 2009 at 2:51 AM, Paul Vixie<vixie@isc.org> wrote:
> Christopher Morrow <morrowc.lists@gmail.com> writes:
>
>> how does SCTP ensure against spoofed or reflected attacks?
>
> there is no server side protocol control block required in SCTP. =A0someo=
ne
> sends you a "create association" request, you send back a "ok, here's you=
r
> cookie" and you're done until/unless they come back and say "ok, here's m=
y
> cookie, and here's my DNS request." =A0so a spoofer doesn't get a cookie =
and
> a reflector doesn't burden a server any more than a ddos would do.
awesome, how does that work with devices in the f-root-anycast design?
(both local hosts in the rack and if I flip from rack to rack) If I
send along a request to a host which I do not have an association
created do I get a failure and then re-setup? (inducing further
latency)
> because of the extra round trips nec'y to create an SCTP "association" (f=
or
> which you can think, lightweight TCP-like session-like), it's going to be
> nec'y to leave associations in place between iterative caches and authori=
ty
> servers, and in place between stubs and iterative caches. =A0however, bec=
ause
> the state is mostly on the client side, a server with associations open t=
o
> millions of clients at the same time is actually no big deal.
See question above, as well as: "Do loadbalancers, or loadbalanced
deployments, deal with this properly?" (loadbalancers like F5, citrix,
radware, cisco, etc...)
-Chris
