[88944] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: DNS deluge for x.p.ctrc.cc

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Feb 25 09:07:57 2006

From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: (Your message of "Fri, 24 Feb 2006 16:33:08 CST.")
             <Pine.GSO.4.62.0602241629470.21514@qentba.nf23028.arg> 
Date: Sat, 25 Feb 2006 06:00:17 -0800
Errors-To: owner-nanog@merit.edu


In message <Pine.GSO.4.62.0602241629470.21514@qentba.nf23028.arg>, Rob Thomas w
rites:
>

>Limit UDP queries to 512 bytes.  This greatly decreases the
>amplification affect, though it doesn't stop it.
>

Unfortunately, the intention of the DNS developers is just the 
opposite.  Things like DNSSEC require larger packet sizes; in fact, 
there's a DNS extension  (EDNS0) whose purpose, among others, it to 
permit this.  

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[88944] in North American Network Operators' Group

Re: DNS deluge for x.p.ctrc.cc

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)Sat Feb 25 09:07:57 2006

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Feb 25 09:07:57 2006