nick at foobar.org
Fri Apr 6 13:04:41 CDT 2012
On 06/04/2012 18:41, Nathan Eisenberg wrote:
> Anyone else seeing this sort of noise lately?
There has been a bit of that recently for ripe.net and several other well
known DNSSEC enabled domains (e.g. isc.org).
It turns out that DNSSEC makes a respectable traffic amplification vector:
> twinkie# dig +ignore +notcp any ripe.net | grep rcvd
> ;; MSG SIZE rcvd: 490
The dns request packet size was 26 bytes. Add packet overhead to both the
request and the reply, and you end up with:
request: 26 (data) + 8 (udp) + 20 (ip) + 18 (ethernet frame) + ipg (12) + 8
(preamble) = 92
reply: 490 (data) + 8 (udp) + 20 (ip) + 18 (ethernet frame) + ipg (12) + 8
(preamble) = 556
=> amplification on ethernet medium == 556/92, or slightly more than 6x.
Welcome back to the 1990s.
More information about the NANOG