Lars Hecking <[EMAIL PROTECTED]> writes: > So, what about Polyakov? Is it a threat to the real world, or is it just > a matter of DNSSEC or die now?
when folks on slashdot asked that question, i said: http://tech.slashdot.org/comments.pl?sid=640993&cid=24537509 while i think it's bad that anybody who can hammer you at GigE speed for ten hours can poison your cache, it's not a threat to the real world the way 11 seconds at 10-megabit was. so while we all do have to do dnssec and we will all eventually die, those two facts are unrelated. note that any dns server with a host based firewall can implement a 100% effective mitigation for the Polyakov attack, and it's possible that an upstream/outboard firewall could also be made to do it. in freebsd ipfw it looks like this: add pipe 1 udp from any 53 to 204.152.188.20 in pipe 1 config mask src-ip 0xffffffff buckets 32768 bw 56Kbit/s queue 1 at some point ISC will have to put logic like this into BIND, of course. but protecting against the Polyakov attack is like synflood protection in that it's a rate-limit problem. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
