Paul Vixie wrote: > until cisco makes source address validation the default, we have > no tools available to thwart ddos, other than clever hacks.
While we may not have any tools to fight DDoS per se, we do have one to combat _amplification_ attacks: it's called "TCP". Yes, it does come at a cost, but no one said we could cut corners forever, be it by using UDP DNS outside LANs or by rate-limiting unvalidated source addresses. (Now why does this remind me of the DNSSEC debate?) "There's no easy way out, there's no shortcut home ..." _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
