On Aug 4, 2015, at 3:26 PM, Paul Wouters <p...@nohats.ca> wrote: > The confusion is introduced by the term "negative consequences of DNS > cookies when they are not widely implemented". If the client fails > to understand the packet, and it is a legitimate client, it will ask > again. If it is a botnet, it never sees the answer (and asks again anyway > because it is doing a a DDOS). If the legitimate client would not get > an answer because the server is about to topple over, it would also ask > again. So I do not understand what these "negative consequences" are. > > However, if a client does understand cookies and the server receives > back a cookie, it can give that request a higher preference and answer > it in favour of sending cookie requests to clients that did not send > requests with cookies.
Yes, but the cost is that you’ve doubled the number of packets exchanged, and the DDoS attacker gets a 50% amplification out of it. It’s certainly cheaper than using TCP.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
