Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 556961
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:


"I'd argue it's more a problem with the UDP datagram than DNS specifically. DNS just exposes that weakness of UDP. So if we just fix DNS then I'm sure someone will find another UDP service that can be exploited in the same way (possibly games servers?)"

I guess you could put it that way. It's true that UDP does nothing to confirm the sender IP, but to fix it at this level would mean converting UDP to a stateful protocol with a bidirectional handshake.

Between all the IP protocols already invented, we probably already have something that would work, but it does little good until these actually saw widespread support.

So, the easiest fix in this case is probably just running DNS over TCP.

Edited 2013-03-28 17:56 UTC

Reply Parent Score: 2

Laurence Member since:

I did read someone else suggesting that and at the time I didn't take their suggestion all that serious because of the disruption it could cause. But thinking about it again, it's probably a good long term goal.

And with that, I think you're probably right that the best solution is at the name server end rather than trying to patch all the edge routers.

It's been an interesting discussion this. Thanks for your insights ;)

Reply Parent Score: 2