From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9A149138010 for ; Thu, 28 Mar 2013 21:04:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 513D0E0928; Thu, 28 Mar 2013 21:04:38 +0000 (UTC) Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EF514E08F3 for ; Thu, 28 Mar 2013 21:04:36 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id aq17so9055783iec.5 for ; Thu, 28 Mar 2013 14:04:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; bh=3p8iPypsWyWsG8Dur4tZD/TQ0xpBuL7iBUXCbcLYfW8=; b=cuMNAzaC2heI0BXwey5F4mevGf0Kop3Kd8pjK1aqleWijAGMtc6tWfkzIbwXTkyp8j BrG+S/kv17EF+Gv0yVGVk3/MXakZyQ0IrLW5X+GLONuyFE5wjN54lDnsmYTTnSoga4RW SZWizUD9RD1m5+Try9wSWqj50i920rJRgiSDFXaylugkkUxfxydnv37Pk9oDNQnv07qV tAkZ2S0UNIyhc9pJ9S/piGC+FLfMtOu8lJBq3Sv32AnLDlvm6bwpXCt7SIW+gxDbGHpi VpqEjyV8sk/sggxP79Rg3veKb9qYfEBE/24ugR4Udqfqe5t3xS83WfP3YcFsVFmda7fN Dhcw== X-Received: by 10.50.212.3 with SMTP id ng3mr66832igc.43.1364504674636; Thu, 28 Mar 2013 14:04:34 -0700 (PDT) Received: from ?IPv6:2001:5c0:1000:a::beb? ([2001:5c0:1000:a::beb]) by mx.google.com with ESMTPS id ih1sm12130258igc.3.2013.03.28.14.04.32 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Mar 2013 14:04:33 -0700 (PDT) Message-ID: <5154B059.9010205@gmail.com> Date: Thu, 28 Mar 2013 17:04:25 -0400 From: Michael Mol User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack References: <51540497.5020008@smash-net.org> <20130328205151.7d03b413@kc-sys.chadwicks.me.uk> <20130328205756.4a0c54c9@kc-sys.chadwicks.me.uk> In-Reply-To: <20130328205756.4a0c54c9@kc-sys.chadwicks.me.uk> X-Enigmail-Version: 1.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2OCRWHFJLICERDQIGHKEE" X-Archives-Salt: 09e8dab7-615f-40ff-8315-577766d9344c X-Archives-Hash: 9c8cf83cd5057cde15dd2341f9c237b0 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2OCRWHFJLICERDQIGHKEE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 03/28/2013 04:57 PM, Kevin Chadwick wrote: >=20 >> listened to the dangers and even now simply redesigned DNSSEC. >=20 > Or they could fudge it by making every request requiring padding larger= > than the response. Bandwidth would increase astronomically but amp > attacks would have to find other avenues. >=20 Infeasible; the requester cannot know the size of the response in advance. If a packet comes in, and the response is larger than the request, is it really an amp packet, did the client not know, or is the server misconfigured and not limiting the response data as much as it cou= ld? ------enig2OCRWHFJLICERDQIGHKEE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRVLBZAAoJED5TcEBdxYwQko4H/0Ft0ihICkarA3pRYmBB0FjV ndNxquY7LjK1Z6Tapt3OLUyzytLXOHgjHWuDOcz1GihhfKx+x0k+uehu+ua9IIqn HEB1Y37ZcJ8D1VaThfr/fQhFVq6Glw3B35ObNe/srxSb5fJm0DXXKuIkIbS+J3C8 mzIAMuVapPNTAGP3uZxDlINKCnW5XFliz+VmBD0J+mCPjshToXrHLfyumP4ufdRl QadJW0oLjVJHcspj5wTA+AKU1Ikimfk7Ijp/8IgAY2tXV/zmSvzfECitM+WIyF9+ wrA6Uj2z5XmVP3wOGPkkjVmm9eieNEDVqzUE9acD1RS1vy6uGpphIFv3u6mRSzU= =XV75 -----END PGP SIGNATURE----- ------enig2OCRWHFJLICERDQIGHKEE--