On Mon, 18 Aug 2008, bert hubert wrote:

> On Sun, Aug 17, 2008 at 11:42:39PM -0400, Dean Anderson wrote:
> 
> > TCP isn't susceptible to this kind of attack at all. TCP spoofing is
> 
> While this is true, it turns out the current crop of authoritative
> nameservers, including mine, is not up to serving thousands of
> requests/second over TCP. Or at least not thousands of new sessions/second.

I agree. TCP connection caching is necessary.  

> I'm working on in-place spoofing countermeasures and I've already had to
> stop my tests because I ended up overloading the authentic authoritative
> servers with TCP queries.

I am interested in helping with this.

                --Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to