Re: DNS hardening, was Re: Dan Kaminsky

[Christopher Morrow <morrowc.lists () gmail com>]

On Wed, Aug 5, 2009 at 5:24 PM, Douglas Otis<dotis () mail-abuse org> wrote:
> On 8/5/09 11:31 AM, Roland Dobbins wrote:
> > On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
> >
> > > Having major providers support the SCTP option will mitigate disruptions
> > > caused by DNS DDoS attacks using less resources.
> >
> > Can you elaborate on this (or are you referring to removing the spoofing
> > vector?)?
>
> SCTP is able to simultaneously exchange chunks (DNS messages) over an
> association.  Initialization of associations can offer alternative servers
> for immediate fail-over, which might be seen as means to arrange anycast
> style redundancy.  Unlike TCP, resource commitments are only retained within
> the cookies exchanged.  This avoids consumption of resources for tracking
> transaction commitments for what might be spoofed sources.  Confirmation of
> the small cookie also offers protection against reflected attacks by spoofed
> sources.  In addition to source validation, the 32 bit verification tag and
> TSN would add a significant amount of entropy to the DNS transaction ID.
>
> The SCTP stack is able to perform the housekeeping needed to allow
> associations to persist beyond single transaction, nor would there be a need
> to push partial packets, as is needed with TCP.

and state-management seems like it won't be too much of a problem on
that dns server... wait, yes it will.