[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DNS Server DoS Attacks

To: "'Alec H. Peterson'" <ahp@hilander.com>,<namedroppers@ops.ietf.org>
Subject: RE: DNS Server DoS Attacks
From: "John M. Brown" <john@chagres.net>
Date: Sat, 23 Nov 2002 13:33:23 -0700
In-reply-to: <2147483647.1038037732@d58.wireless.hilander.com>
Organization: Chagres Technologies, Inc
Reply-to: <john@chagres.net>

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org 
> [mailto:owner-namedroppers@ops.ietf.org] On Behalf Of Alec H. Peterson
> Sent: Saturday, November 23, 2002 7:49 AM
> To: john@chagres.net; namedroppers@ops.ietf.org
> Subject: RE: DNS Server DoS Attacks
> 
> 
> --On Saturday, November 23, 2002 12:47 AM -0700 "John M. Brown" 
> <john@chagres.net> wrote:
> 
> > packet forwarding engines won't tell the difference between
> > a good query and a bad query without serious penalty to the PFE 
> > performance.
> 
> I don't think I understand, what does my suggestion have to 
> do with packet 
> forwarding engines distinguishing between good and bad queries?

long flight, coffee == empty, it was part of a different conversation
that slipped into this thread.  sorry.

Some people where arguing that you could filter via ACL's and such,
that works until the poison (bad packets) looks, smells and tastes like
what you think lunch should be.

> But if your authoritative DNS servers aren't even reachable 
> to have the cache get re-populated then what good is it to 
> have the cache get aged?  

keeps the system cleaner.  see pauls answer

> My proposal doesn't change the current cache aging system, you 
> can still have 
> a 10 minute TTL and have an authoritative server re-query after the 
> original 10 minutes has expired.  This just _allows_ caching 
> nameservers to 
> keep stuff for longer if it is not possible to re-populate 
> the cache due to 
> unreachable nameservers.

SO how does this caching change handle a zone going away ?  If I remove
a zone from service, is that not like a DOS ??

what I'm hearing is " lets have a static value that keeps data in a
cache
longer than what the owner wants, just incase things break"...  is that
correct ??

> > c)  signing the root zone, more for layer 8 reasons than others.
> 
> I fail to see how signing the root zone would keep somebody 
> from flooding me with packets.

It doesn't.  It ""protects"" the zone, its a layer 8 warm and fuzzy
thing.  It does help make sure that the anycast box you are asking is
serving the same data as all of the others, and if its not, you can
ignore that server.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- RE: DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>

References:
- RE: DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>

Prev by Date: Re: DNS Server DoS Attacks
Next by Date: RE: DNS Server DoS Attacks
Previous by thread: RE: DNS Server DoS Attacks
Next by thread: RE: DNS Server DoS Attacks
Index(es):
- Date
- Thread