On Sun, Aug 17, 2008 at 11:42:39PM -0400, Dean Anderson wrote: > TCP isn't susceptible to this kind of attack at all. TCP spoofing is
While this is true, it turns out the current crop of authoritative nameservers, including mine, is not up to serving thousands of requests/second over TCP. Or at least not thousands of new sessions/second. I'm working on in-place spoofing countermeasures and I've already had to stop my tests because I ended up overloading the authentic authoritative servers with TCP queries. So TCP is not the end-all to our worries. Nor is DNSSEC however - the current crop of auth servers doesn't have that enabled or working either. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop