On Sun, Aug 17, 2008 at 11:42:39PM -0400, Dean Anderson wrote:
> TCP isn't susceptible to this kind of attack at all. TCP spoofing is
While this is true, it turns out the current crop of authoritative
nameservers, including mine, is not up to serving thousands of
requests/second over TCP. Or at least not thousands of new sessions/second.
I'm working on in-place spoofing countermeasures and I've already had to
stop my tests because I ended up overloading the authentic authoritative
servers with TCP queries.
So TCP is not the end-all to our worries. Nor is DNSSEC however - the
current crop of auth servers doesn't have that enabled or working either.
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
