Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510

Permalink for comment 556927
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2007-03-26
I'm no expert either, but your solution sounds more complicated (and, hence, more CPU intensive on the routers) than what they were proposing. It sounded like they were just proposing plain old source-interface checking so, when the attacker sends a spoofed packet to a DNS server, one of the border routers along the way drops it for arriving on the wrong interface.
We're talking about the same check. What I was describing was the process behind "plain old source-interface checking".
Totally. But AFAIK we've never seen the same degree of amplification (eg every bit being multiplied up to as much as 10bits) before, not even with SYN flooding. Which is where attacking open resolvers come into play.
I might be wrong on this though so welcome any corrections