Shane Kerr wrote:
>
>
> In the case where people just want to reduce the damage of ANY queries
> in reflection attacks, I quite like the PowerDNS option of forcing ANY
> queries to TCP via truncation. I'm not sure if this has been documented
> in any RFC, but if not then perhaps it bears mentioning too?

note that in a normal reflective ddos where a lot of ANY queries are
being received, the above proposal results in a full TCP session table,
thus denying TCP service to any non-attacker.

this is not a serious problem since virtually anyone can launch a denial
of service against TCP/53, without a distributed attack force. so, that
problem already exists.

if it's going to become a documented operational practice, then this
risk should be documented also.

-- 
Paul Vixie

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to