nanog mailing list archives
Re: DNS hardening, was Re: Dan Kaminsky
From: Douglas Otis <dotis () mail-abuse org>
Date: Wed, 05 Aug 2009 14:24:51 -0700
On 8/5/09 11:31 AM, Roland Dobbins wrote:
On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:Having major providers support the SCTP option will mitigate disruptions caused by DNS DDoS attacks using less resources.Can you elaborate on this (or are you referring to removing the spoofing vector?)?
SCTP is able to simultaneously exchange chunks (DNS messages) over an association. Initialization of associations can offer alternative servers for immediate fail-over, which might be seen as means to arrange anycast style redundancy. Unlike TCP, resource commitments are only retained within the cookies exchanged. This avoids consumption of resources for tracking transaction commitments for what might be spoofed sources. Confirmation of the small cookie also offers protection against reflected attacks by spoofed sources. In addition to source validation, the 32 bit verification tag and TSN would add a significant amount of entropy to the DNS transaction ID.
The SCTP stack is able to perform the housekeeping needed to allow associations to persist beyond single transaction, nor would there be a need to push partial packets, as is needed with TCP.
-Doug
Current thread:
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky, (continued)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 05)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Naveen Nathan (Aug 05)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Alexander Harrowell (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 07)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Tony Finch (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)