Re: DNS hardening, was Re: Dan Kaminsky

[Christopher Morrow <morrowc.lists () gmail com>]

On Thu, Aug 6, 2009 at 2:51 AM, Paul Vixie<vixie () isc org> wrote:
> Christopher Morrow <morrowc.lists () gmail com> writes:
>
> > how does SCTP ensure against spoofed or reflected attacks?
>
> there is no server side protocol control block required in SCTP.  someone
> sends you a "create association" request, you send back a "ok, here's your
> cookie" and you're done until/unless they come back and say "ok, here's my
> cookie, and here's my DNS request."  so a spoofer doesn't get a cookie and
> a reflector doesn't burden a server any more than a ddos would do.

awesome, how does that work with devices in the f-root-anycast design?
(both local hosts in the rack and if I flip from rack to rack) If I
send along a request to a host which I do not have an association
created do I get a failure and then re-setup? (inducing further
latency)

> because of the extra round trips nec'y to create an SCTP "association" (for
> which you can think, lightweight TCP-like session-like), it's going to be
> nec'y to leave associations in place between iterative caches and authority
> servers, and in place between stubs and iterative caches.  however, because
> the state is mostly on the client side, a server with associations open to
> millions of clients at the same time is actually no big deal.

See question above, as well as: "Do loadbalancers, or loadbalanced
deployments, deal with this properly?" (loadbalancers like F5, citrix,
radware, cisco, etc...)

-Chris