DNS hardening, was Re: Dan Kaminsky

Douglas Otis dotis at mail-abuse.org
Wed Aug 5 16:24:51 CDT 2009

On 8/5/09 11:31 AM, Roland Dobbins wrote:
> On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
>> Having major providers support the SCTP option will mitigate disruptions caused by DNS DDoS attacks using less resources.
> Can you elaborate on this (or are you referring to removing the spoofing vector?)?

SCTP is able to simultaneously exchange chunks (DNS messages) over an 
association.  Initialization of associations can offer alternative 
servers for immediate fail-over, which might be seen as means to arrange 
anycast style redundancy.  Unlike TCP, resource commitments are only 
retained within the cookies exchanged.  This avoids consumption of 
resources for tracking transaction commitments for what might be spoofed 
sources.  Confirmation of the small cookie also offers protection 
against reflected attacks by spoofed sources.  In addition to source 
validation, the 32 bit verification tag and TSN would add a significant 
amount of entropy to the DNS transaction ID.

The SCTP stack is able to perform the housekeeping needed to allow 
associations to persist beyond single transaction, nor would there be a 
need to push partial packets, as is needed with TCP.


More information about the NANOG mailing list