DNS hardening, was Re: Dan Kaminsky
dotis at mail-abuse.org
Wed Aug 5 16:24:51 CDT 2009
On 8/5/09 11:31 AM, Roland Dobbins wrote:
> On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
>> Having major providers support the SCTP option will mitigate disruptions caused by DNS DDoS attacks using less resources.
> Can you elaborate on this (or are you referring to removing the spoofing vector?)?
SCTP is able to simultaneously exchange chunks (DNS messages) over an
association. Initialization of associations can offer alternative
servers for immediate fail-over, which might be seen as means to arrange
anycast style redundancy. Unlike TCP, resource commitments are only
retained within the cookies exchanged. This avoids consumption of
resources for tracking transaction commitments for what might be spoofed
sources. Confirmation of the small cookie also offers protection
against reflected attacks by spoofed sources. In addition to source
validation, the 32 bit verification tag and TSN would add a significant
amount of entropy to the DNS transaction ID.
The SCTP stack is able to perform the housekeeping needed to allow
associations to persist beyond single transaction, nor would there be a
need to push partial packets, as is needed with TCP.
More information about the NANOG