On Oct 1, 2007, at 10:10 AM, Jeffrey Hutzelman wrote:
No; the blame for an attack _always_ lies with the attacker, not
the victim. While I certainly wish more network providers would
implement BCP 38, those who fail to do so are not to blame for the
bad acts of others.
Given the reality with bots et al. today, most of the attacking
systems are actually victims themselves.
It does, but normally only responses which are too long for UDP
require the use of TCP. A recursive nameserver could mitigate this
type of attack by lowering the maximum response size it is willing
to send via UDP, forcing the use of TCP and thus a three-way
handshake for larger responses. The tricky part is that setting
the threshold too low can have serious performance impact.
Note that in real deployments just this behavior has broken things
on occasion, as many firewall and other such policy application points
assume things like DNS resolution will only be UDP/53 transactions.
YMMV.
-danny
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf