DNS hardening, was Re: Dan Kaminsky
Douglas Otis
dotis at mail-abuse.org
Wed Aug 5 22:53:32 UTC 2009
On 8/5/09 2:49 PM, Christopher Morrow wrote:
> and state-management seems like it won't be too much of a problem on
> that dns server... wait, yes it will.
DNSSEC UDP will likely become problematic. This might be due to
reflected attacks, fragmentation related congestion, or packet loss.
When it does, TCP fallback will tried. TCP must retain state for every
attempt to connect, and will require significantly greater resources for
comparable levels of resilience.
SCTP instead uses cryptographic cookies and the client to retain this
state information. SCTP can bundle several transactions into a common
association, which reduces overhead and latency compared against TCP.
SCTP ensures against source spoofed reflected attacks or related
resource exhaustion. TCP or UDP does not. Under load, SCTP can
redirect services without using anycast. TCP can not.
-Doug
More information about the NANOG
mailing list