On Mon, 10 Dec 2007, Matt Larson wrote: > Much against my better judgement, I'm replying to an author who > repeatedly shows himself incorrigible. But lest his continued > repetition of a false claim--that authority servers can be used to > mount as large an attack as open servers--begin to give it an air of > truth, I'd like to point out:
We have been over this before. The size of an attack depends only on the size of the botnet sending queries and the bandwidth available to the server responding. Authority servers send the exact same size packet as do recursive servers. Therefore, the exact same attack can be mounted with authority servers. > Can you point us to even one 4Kb response from an authoritative > server? This is a frivolous assertion. _Any_ EDNSO-capable authority server can be legitimately configured to provide an 8kb response. Some authority servers are known to provide quite large SPF responses. The exact list of authority servers that currently provide large responses is not necesseary to prove my assertions. Furthermore, once root DNS servers start including IPV6 responses, their responses will be quite large. Other authorities will also have much larger responses. > P.S. For you or anyone else who'd like to recall the details of the > open-resolver based DDoS attacks from early 2006, my colleagues > prepared an excellent (and frightening) presentation on them: > > http://www.nanog.org/mtg-0606/scalzo.html -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dnsop
