nanog mailing list archives
Re: DNS hardening, was Re: Dan Kaminsky
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 6 Aug 2009 10:18:11 -0400
On Thu, Aug 6, 2009 at 2:51 AM, Paul Vixie<vixie () isc org> wrote:
Christopher Morrow <morrowc.lists () gmail com> writes:how does SCTP ensure against spoofed or reflected attacks?there is no server side protocol control block required in SCTP. someone sends you a "create association" request, you send back a "ok, here's your cookie" and you're done until/unless they come back and say "ok, here's my cookie, and here's my DNS request." so a spoofer doesn't get a cookie and a reflector doesn't burden a server any more than a ddos would do.
awesome, how does that work with devices in the f-root-anycast design? (both local hosts in the rack and if I flip from rack to rack) If I send along a request to a host which I do not have an association created do I get a failure and then re-setup? (inducing further latency)
because of the extra round trips nec'y to create an SCTP "association" (for which you can think, lightweight TCP-like session-like), it's going to be nec'y to leave associations in place between iterative caches and authority servers, and in place between stubs and iterative caches. however, because the state is mostly on the client side, a server with associations open to millions of clients at the same time is actually no big deal.
See question above, as well as: "Do loadbalancers, or loadbalanced deployments, deal with this properly?" (loadbalancers like F5, citrix, radware, cisco, etc...) -Chris
Current thread:
- Re: DNS hardening, was Re: Dan Kaminsky, (continued)
- Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 07)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 10)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- A DNSSEC irony Edward Lewis (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)