ietf
[Top] [All Lists]

Re: [secdir] secdir review of draft-ietf-dnsop-reflectors-are-evil-04.txt

2007-10-01 09:39:09

On Oct 1, 2007, at 10:10 AM, Jeffrey Hutzelman wrote:

No; the blame for an attack _always_ lies with the attacker, not the victim. While I certainly wish more network providers would implement BCP 38, those who fail to do so are not to blame for the bad acts of others.

Given the reality with bots et al. today, most of the attacking
systems are actually victims themselves.

It does, but normally only responses which are too long for UDP require the use of TCP. A recursive nameserver could mitigate this type of attack by lowering the maximum response size it is willing to send via UDP, forcing the use of TCP and thus a three-way handshake for larger responses. The tricky part is that setting the threshold too low can have serious performance impact.

Note that in real deployments just this behavior has broken things
on occasion, as many firewall and other such policy application points
assume things like DNS resolution will only be UDP/53 transactions.

YMMV.

-danny

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf