[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: Re: [dns-operations] Always replying to UDP requests with TC=1, good practice or not
From: Paul Vixie <paul () redbarn ! org>
Date: 2015-10-20 4:19:16
Message-ID: 20358799.JhX2UFCgWB () linux-rfx1
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Tuesday, October 20, 2015 07:49:34 Mark Andrews wrote:
>
> With EDNS COOKIES one can require a good server cookie before
> providing more of a answer than just BADCOOKIE over UDP. This is
> similar in nature to always sending TC=1 but keeps the traffic on
> UDP rather than switching the traffic to TCP. It also doesn't
> require the authoritative server to keep any per client state.
fwiw, i love this approach. DNS RRL is a workaround, nothing more.
note, though:
http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf
in this paper, the authors explain why the obligation in TCP to retransmit un-
acked data should not have covered the unconnected state. SYN's will be
retransmitted, so SYN-ACK's need not have been subject to retransmission.
so there are billions of connected devices now willing to reflect with an
amplification between 5X and 50X (there was no standard for this number),
which devices are (a) globally reachable via the internet and (b) unpatchable
and (c) immortal. so, we should get DNS cookies implemented, in order that the
reflective amplifying spoofed-source attackers can switch to TCP SYN instead.
--
Paul
["signature.asc" (application/pgp-signature)]
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic