nanog mailing list archives
Re: DNS noise
From: Jimmy Hess <mysidia () gmail com>
Date: Fri, 6 Apr 2012 13:13:22 -0500
On Fri, Apr 6, 2012 at 1:04 PM, Nick Hilliard <nick () foobar org> wrote:
On 06/04/2012 18:41, Nathan Eisenberg wrote:Anyone else seeing this sort of noise lately?There has been a bit of that recently for ripe.net and several other well known DNSSEC enabled domains (e.g. isc.org). It turns out that DNSSEC makes a respectable traffic amplification vector:
This is definitely a problem. Unfortunately, what really should happen is DNSSEC should be revised, to, either make sure that the client initiating the query has to either do more work than the server, or make a round trip before the DNSSEC data can be requested. One way of accomplishing that would be to indicate that DNSSEC data can be transmitted only over DNS when using TCP; since a reflection spoofer cannot complete a 3-way TCP handshake, the attacker cannot send spoofed requests for DNSSEC data over TCP. -- -JH
Current thread:
- DNS noise Nathan Eisenberg (Apr 06)
- Re: DNS noise Keegan Holley (Apr 06)
- Re: DNS noise Michael Sinatra (Apr 06)
- Re: DNS noise PC (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise Nick Hilliard (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise David Conrad (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise David Conrad (Apr 06)
- Re: DNS noise Jared Mauch (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise Keegan Holley (Apr 06)
- <Possible follow-ups>
- Re: DNS noise Joe St Sauver (Apr 06)