In message <[email protected]>, Jim Reid writes: > On 10 Jan 2013, at 17:39, Matthew Ghali <[email protected]> wrote: > > > So if I understand correctly, the solution you are advocating is to > > only answer non-spoofed queries? > > It's one of them, yes. Though since it's hard for a DNS server to > distinguish between spoofed and genuine source IP addresses, the RRL > patch is the easiest way to get the same effect. Your server would then > respond to a teeny fraction of the thousands of queries per second from > the same (forged) IP address(es). Further measures will be necessary, > especially if/when the characteristics of the current attacks change to > make them less amenable to RRL dampening. > > Sadly, there is no magic bullet which will solve this problem. A bunch of > countermeasures and defences are needed, some of which will be outside > the realm of network operations or the DNS protocol. This should not be > news to anyone here.
As far as I can tell there is no way to stop reflection attacks as long as ISP's allow spoof traffic to enter their networks. The attackers will just go broad spectrum (millions of reflectors) and no single reflector will be able to see that it is part of a attack. It is possible to detect current reflection attacks and mitigate them using RRL but this is only a stop gap measure which causes the attackers to choose different refectors. What we can do is turn off amplification attacks. We know a number of methods of how to do this. * set TC=1 on all UDP query replies and force the client to TCP. * do a handshake over UDP before sending amplified replies. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
