In message <51b991f7.9070...@imperial.ac.uk>, Phil Mayers <p.may...@imperial.ac.uk> wrote:
>On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote: >> 2) Has anyone ever proposed adding to the DNS protocol something vaguely >> reminicent of the old ICMP Source Quench? If so, what became of that >> proposal? >... >> Basically, the whole idea is just simply to allow a victim to switch to >> "safe TCP only mode" with all of the intermediaries that are participating > >The problem with that idea is that it needs software updates on both the >reflecting DNS server and the victim. Yes. Is there _any_ even remotely viable proposal for ridding the world of these damn DDoS amplification attacks that _doesn't_ require either software updates or worse, hardware updates? The entire problem is fundamentally a result of the introduction of EDNS0. Wwouldn't you agree? The introduction of that change also "needed software updates" on both the sending and receiving side. (That was accomplished it seems.) Should anyone be in the lest bit surprised to learn that a widespread software update might be necessary in order to counteract the clear (and for some people/sites/companies, catastrophic) effect of an earilier software update? >It also seems to require keeping a lot of soft state in the endpoints. Please define "a lot". You and I apparently have differing definitions of that term. Regards, rfg _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
