John Heidemann wrote: > ... > I think one has to be careful comparing TCP and UDP attacks here. > > Yes, this is a DoS attack. The question is not can TCP be used to > attack, but is it WORSE than UDP? Or how is it better and worse?
in this solution space, possible outcomes are "better", "worse", "no change", "not better", and "not worse". i think shane is arguing for "never better and sometimes worse" here. > You say 7 packets vs. 40 packets. When under DoS, is DNS per-packet > constrained or bitrate-constrained? With modern routers my > understanding is it's usually bitrate not packet count that is the > limit. Bitrate is about the same for UDP vs. TCP. > > > ... if it were in our power (or especially in amazon's or google's or akamai's power) to cause the internet to be made up of mostly modern routers, then it would be so. alas, it is not in our power, and the internet will always have a long tail of routers we wish didn't exist any more. thus the aphorism, "the least reliable and most expensive part of the internet is OPM -- other people's networks." for dns, we must design for the internet we will always have, not the internet we will always want. and on the internet we have, packets per second are a common bottleneck, such that an attacker knows they can reliably deny service with a small number of small packets, which do not saturate any link, but which do saturate the kinds of routers and firewalls people actually do still buy and use today. # This is an impossible, and true directive. Yes, we must do our best. We can never # control either case; "what we want" or "what remains". /Hugo _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
