DNS hardening, was Re: Dan Kaminsky

Christopher Morrow morrowc.lists at gmail.com
Wed Aug 5 16:49:28 CDT 2009


On Wed, Aug 5, 2009 at 5:24 PM, Douglas Otis<dotis at mail-abuse.org> wrote:
> On 8/5/09 11:31 AM, Roland Dobbins wrote:
>>
>> On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
>>
>>> Having major providers support the SCTP option will mitigate disruptions
>>> caused by DNS DDoS attacks using less resources.
>>
>> Can you elaborate on this (or are you referring to removing the spoofing
>> vector?)?
>
> SCTP is able to simultaneously exchange chunks (DNS messages) over an
> association.  Initialization of associations can offer alternative servers
> for immediate fail-over, which might be seen as means to arrange anycast
> style redundancy.  Unlike TCP, resource commitments are only retained within
> the cookies exchanged.  This avoids consumption of resources for tracking
> transaction commitments for what might be spoofed sources.  Confirmation of
> the small cookie also offers protection against reflected attacks by spoofed
> sources.  In addition to source validation, the 32 bit verification tag and
> TSN would add a significant amount of entropy to the DNS transaction ID.
>
> The SCTP stack is able to perform the housekeeping needed to allow
> associations to persist beyond single transaction, nor would there be a need
> to push partial packets, as is needed with TCP.

and state-management seems like it won't be too much of a problem on
that dns server... wait, yes it will.




More information about the NANOG mailing list