[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS noise

Subject: DNS noise
From: mysidia at gmail.com (Jimmy Hess)
Date: Fri, 6 Apr 2012 13:13:22 -0500
In-reply-to: <[email protected]>
References: <8C26A4FDAE599041A13EB499117D3C287CA17C7F@EX-MB-1.corp.atlasnetworks.us> <[email protected]>

On Fri, Apr 6, 2012 at 1:04 PM, Nick Hilliard <nick at foobar.org> wrote:
> On 06/04/2012 18:41, Nathan Eisenberg wrote:
>> Anyone else seeing this sort of noise lately?
>
> There has been a bit of that recently for ripe.net and several other well
> known DNSSEC enabled domains (e.g. isc.org).
>
> It turns out that DNSSEC makes a respectable traffic amplification vector:

This is definitely a problem.
Unfortunately, what really should happen is DNSSEC should be revised, to,
either make sure that the client initiating the query has to either do more
work than the server, or make a round trip before the DNSSEC data can
be requested.

One way of accomplishing that would be to indicate that DNSSEC data
can be transmitted only over DNS when using TCP;  since a reflection
spoofer cannot complete
a 3-way TCP handshake,   the attacker cannot send spoofed requests for DNSSEC
data over TCP.

--
-JH

Follow-Ups:
- DNS noise
  - From: drc at virtualized.org (David Conrad)

References:
- DNS noise
  - From: nathan at atlasnetworks.us (Nathan Eisenberg)
- DNS noise
  - From: nick at foobar.org (Nick Hilliard)

Prev by Date: DNS noise
Next by Date: DNS noise
Previous by thread: DNS noise
Next by thread: DNS noise
Index(es):
- Date
- Thread