DNS hardening, was Re: Dan Kaminsky
morrowc.lists at gmail.com
Wed Aug 5 16:49:28 CDT 2009
On Wed, Aug 5, 2009 at 5:24 PM, Douglas Otis<dotis at mail-abuse.org> wrote:
> On 8/5/09 11:31 AM, Roland Dobbins wrote:
>> On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
>>> Having major providers support the SCTP option will mitigate disruptions
>>> caused by DNS DDoS attacks using less resources.
>> Can you elaborate on this (or are you referring to removing the spoofing
> SCTP is able to simultaneously exchange chunks (DNS messages) over an
> association. Initialization of associations can offer alternative servers
> for immediate fail-over, which might be seen as means to arrange anycast
> style redundancy. Unlike TCP, resource commitments are only retained within
> the cookies exchanged. This avoids consumption of resources for tracking
> transaction commitments for what might be spoofed sources. Confirmation of
> the small cookie also offers protection against reflected attacks by spoofed
> sources. In addition to source validation, the 32 bit verification tag and
> TSN would add a significant amount of entropy to the DNS transaction ID.
> The SCTP stack is able to perform the housekeeping needed to allow
> associations to persist beyond single transaction, nor would there be a need
> to push partial packets, as is needed with TCP.
and state-management seems like it won't be too much of a problem on
that dns server... wait, yes it will.
More information about the NANOG