DNS hardening, was Re: Dan Kaminsky

Douglas Otis dotis at mail-abuse.org
Wed Aug 5 17:53:32 CDT 2009


On 8/5/09 2:49 PM, Christopher Morrow wrote:
> and state-management seems like it won't be too much of a problem on
> that dns server... wait, yes it will.

DNSSEC UDP will likely become problematic.  This might be due to 
reflected attacks, fragmentation related congestion, or packet loss. 
When it does, TCP fallback will tried.  TCP must retain state for every 
attempt to connect, and will require significantly greater resources for 
comparable levels of resilience.

SCTP instead uses cryptographic cookies and the client to retain this 
state information.  SCTP can bundle several transactions into a common 
association, which reduces overhead and latency compared against TCP. 
SCTP ensures against source spoofed reflected attacks or related 
resource exhaustion.  TCP or UDP does not.  Under load, SCTP can 
redirect services without using anycast.  TCP can not.

-Doug






More information about the NANOG mailing list