On Fri, Jan 09, 2004 at 08:23:01PM -0600, Chris Watson wrote: > A DoS attack based on flooding the target with v4 DNS lookups > requesting v6 AAAA host records from random spoofed address space. You > can't filter based on port or you kill DNS. Adding rules in to block > the spoofed IP's would be just unfeasible. What do you do? The best I > could come up with was to get your upstream on the horn and have them > trace it back then contact the network they trace it to, etc.., etc.. I > really don't know any other way to go about it. Even if you could write > something to filter on payload your performance would probably hit the > floor. Any ideas?
What's the importance of v6 AAAA lookups in this scenario? If you're not allowing recursion to the public, the name server can answer a v6 AAAA query (for the zones it serves) as efficiently as any v4 A query, no? Do you need publicly available recursion (why?), or what's special about v6 AAAA that makes it more of a DoS than plain v4 queries? Daniel
