nanog mailing list archives

Re: DNS DoS ???

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Mon, 1 Aug 2011 02:27:19 +0000

On Aug 1, 2011, at 9:22 AM, Mark Andrews wrote:

And even if DNS/TCP was use by default machines can still get DoS'd because IP is spoofable.


They can be DDoSed with spoofed or non-spoofed packets, and there are defenses against such attacks.  

Apologies if I was unclear - my point was that huge, crushing, multi-gigabit-per-second DNS reflection/amplification 
attacks would no longer be possible with a TCP-only DNS, and that there would be other benefits, as well.  Large-scale 
testing of TCP-only DNS would be quite informative, IMHO.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

Current thread:

RE: DNS DoS ???, (continued)
- - - RE: DNS DoS ??? Alex Nderitu (Jul 30)
    - Re: DNS DoS ??? John Adams (Jul 30)
    - Re: DNS DoS ??? Mike Sabbota (Jul 30)
    - Re: DNS DoS ??? Jimmy Hess (Jul 30)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 30)
    - Re: DNS DoS ??? Jimmy Hess (Jul 30)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 30)
    - Re: DNS DoS ??? Mark Andrews (Jul 31)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 31)
    - Re: DNS DoS ??? Mark Andrews (Jul 31)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 31)
  - RE: DNS DoS ??? Frank Bulk (Jul 30)