[143171] in North American Network Operators' Group
Re: DNS DoS ???
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Jul 31 22:29:31 2011
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Mon, 1 Aug 2011 02:27:19 +0000
In-Reply-To: <20110801022201.D830F125A9D2@drugs.dv.isc.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Aug 1, 2011, at 9:22 AM, Mark Andrews wrote:
> And even if DNS/TCP was use by default machines can still get DoS'd becau=
se IP is spoofable.
They can be DDoSed with spoofed or non-spoofed packets, and there are defen=
ses against such attacks. =20
Apologies if I was unclear - my point was that huge, crushing, multi-gigabi=
t-per-second DNS reflection/amplification attacks would no longer be possib=
le with a TCP-only DNS, and that there would be other benefits, as well. L=
arge-scale testing of TCP-only DNS would be quite informative, IMHO.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
