nanog mailing list archives

Re: DNS hardening, was Re: Dan Kaminsky

From: Douglas Otis <dotis () mail-abuse org>
Date: Wed, 05 Aug 2009 14:24:51 -0700

On 8/5/09 11:31 AM, Roland Dobbins wrote:


On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:

Having major providers support the SCTP option will mitigate disruptions caused by DNS DDoS attacks using less 
resources.


Can you elaborate on this (or are you referring to removing the spoofing vector?)?

SCTP is able to simultaneously exchange chunks (DNS messages) over anassociation. Initialization of associations can offer alternativeservers for immediate fail-over, which might be seen as means to arrangeanycast style redundancy. Unlike TCP, resource commitments are onlyretained within the cookies exchanged. This avoids consumption ofresources for tracking transaction commitments for what might be spoofedsources. Confirmation of the small cookie also offers protectionagainst reflected attacks by spoofed sources. In addition to sourcevalidation, the 32 bit verification tag and TSN would add a significantamount of entropy to the DNS transaction ID.

The SCTP stack is able to perform the housekeeping needed to allowassociations to persist beyond single transaction, nor would there be aneed to push partial packets, as is needed with TCP.


-Doug

Current thread:

Re: dnscurve and DNS hardening, was Re: Dan Kaminsky, (continued)
- - - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Naveen Nathan (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Alexander Harrowell (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 07)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Tony Finch (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)

(Thread continues...)