DNS hardening, was Re: Dan Kaminsky
dotis at mail-abuse.org
Wed Aug 5 17:53:32 CDT 2009
On 8/5/09 2:49 PM, Christopher Morrow wrote:
> and state-management seems like it won't be too much of a problem on
> that dns server... wait, yes it will.
DNSSEC UDP will likely become problematic. This might be due to
reflected attacks, fragmentation related congestion, or packet loss.
When it does, TCP fallback will tried. TCP must retain state for every
attempt to connect, and will require significantly greater resources for
comparable levels of resilience.
SCTP instead uses cryptographic cookies and the client to retain this
state information. SCTP can bundle several transactions into a common
association, which reduces overhead and latency compared against TCP.
SCTP ensures against source spoofed reflected attacks or related
resource exhaustion. TCP or UDP does not. Under load, SCTP can
redirect services without using anycast. TCP can not.
More information about the NANOG