DNS Amplification Attacks... and a trivial proposal
Doug Barton
dougb at dougbarton.us
Thu Jun 13 21:10:51 UTC 2013
On 06/13/2013 02:01 PM, Ronald F. Guilmette wrote:
> The entire problem is fundamentally a result of the introduction of EDNS0.
> Wwouldn't you agree?
No. You can still get pretty good amplification with 512 byte responses.
There are 2 causes of this problem, lack of BCP 38, and improperly
secured (read, "open") resolvers. The first requires operator education,
and in a non-trivial number of cases requires operators to act against
their own interests. Thus, the problem remains unsolved 13 years later.
The latter problem also requires operator education, but is more likely
to be solvable.
There is no quick fix.
Doug
More information about the bind-users
mailing list