On 28/09/12 05:19, Phil Pennock wrote: > On 2012-09-27 at 12:23 -0400, Olafur Gudmundsson wrote: >> Similarly we should think about approaches that operators/implementors >> can take to limit their vulnerability > > Three crazy ideas, not tried because so far I've been lucky enough to > not get a serious DoS; throwing them out to see what sticks, past the > mockery. > > (1) > Log queries in-memory only, with a ring buffer, so that if a reader > doesn't keep up, it loses those queries; in high enough volume, log > statistical samples. > > Experiment to see if OS fingerprinting yields useful signal on DNS UDP > queries (I suspect not?).
^^^ It doesn't work at all. I tested that while at CAIDA in order to qualify the sources of traffic hitting the root servers. Most of the OS fingerprinting is based on variations of the TCP handshake flags + other TCP elements. I used lots and lots of packets against a passive OS fingerprinting code and the results were useless. Kind Regards, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
