On Fri, Nov 29, 2019 at 07:34:56PM +0000, Tony Finch wrote:
> Viktor Dukhovni <[email protected]> wrote:
> >
> > refection of answers to forged source IPs is not available with TCP
>
> Attackers can get a small amplification from SYN/ACK retries, and this is
> being used in the wild.
>
> https://www.darkreading.com/attacks-breaches/new-ddos-attacks-leverage-tcp-amplification-/d/d-id/1336339
Thanks for the link, appreciated. Perhaps the answer is that a future root
zone retrieval service should be available only via QUIC with always-on address
validation:
https://tools.ietf.org/html/draft-ietf-quic-transport-24#section-8.1.1
https://tools.ietf.org/html/draft-ietf-quic-transport-24#section-8.1
This should also facilitate data integrity.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
