On Wed, Aug 5, 2009 at 5:24 PM, Douglas Otis<do...@mail-abuse.org> wrote: > On 8/5/09 11:31 AM, Roland Dobbins wrote: >> >> On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote: >> >>> Having major providers support the SCTP option will mitigate disruptions >>> caused by DNS DDoS attacks using less resources. >> >> Can you elaborate on this (or are you referring to removing the spoofing >> vector?)? > > SCTP is able to simultaneously exchange chunks (DNS messages) over an > association. Initialization of associations can offer alternative servers > for immediate fail-over, which might be seen as means to arrange anycast > style redundancy. Unlike TCP, resource commitments are only retained within > the cookies exchanged. This avoids consumption of resources for tracking > transaction commitments for what might be spoofed sources. Confirmation of > the small cookie also offers protection against reflected attacks by spoofed > sources. In addition to source validation, the 32 bit verification tag and > TSN would add a significant amount of entropy to the DNS transaction ID. > > The SCTP stack is able to perform the housekeeping needed to allow > associations to persist beyond single transaction, nor would there be a need > to push partial packets, as is needed with TCP.
and state-management seems like it won't be too much of a problem on that dns server... wait, yes it will.
