On Thu, Aug 6, 2009 at 2:51 AM, Paul Vixie<vi...@isc.org> wrote: > Christopher Morrow <morrowc.li...@gmail.com> writes: > >> how does SCTP ensure against spoofed or reflected attacks? > > there is no server side protocol control block required in SCTP. someone > sends you a "create association" request, you send back a "ok, here's your > cookie" and you're done until/unless they come back and say "ok, here's my > cookie, and here's my DNS request." so a spoofer doesn't get a cookie and > a reflector doesn't burden a server any more than a ddos would do.
awesome, how does that work with devices in the f-root-anycast design? (both local hosts in the rack and if I flip from rack to rack) If I send along a request to a host which I do not have an association created do I get a failure and then re-setup? (inducing further latency) > because of the extra round trips nec'y to create an SCTP "association" (for > which you can think, lightweight TCP-like session-like), it's going to be > nec'y to leave associations in place between iterative caches and authority > servers, and in place between stubs and iterative caches. however, because > the state is mostly on the client side, a server with associations open to > millions of clients at the same time is actually no big deal. See question above, as well as: "Do loadbalancers, or loadbalanced deployments, deal with this properly?" (loadbalancers like F5, citrix, radware, cisco, etc...) -Chris
