* Paul Vixie: > while i think it's bad that anybody who can hammer you at GigE speed for > ten hours can poison your cache,
Looking at the numbers in the blog post, it's somewhere between 100mbps and 200mbps, not full GE line rate. > it's not a threat to the real world the way 11 seconds at 10-megabit > was. Still true. > at some point ISC will have to put logic like this into BIND, of course. > but protecting against the Polyakov attack is like synflood protection in > that it's a rate-limit problem. Synflood protection used to be about weeding out the attack packets, not about rate-limiting per se. Due to the lack of state in DNS, the analog to synflood protection is somewhat difficult to achieve (and Cisco has a broad patent in this area).
