On Mar 27, 2013, at 10:11 PM, Michael DeMan <na...@deman.com> wrote: > AsI think as we all know the deficiency is the design of the DNS system > overall.
One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire OID sub-trees (with spoofed source addresses) across thousands of CPEs that defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped out around 70 Gbps if I remember correctly. No DNS involved. > The fundamental cause and source of failure for these kinds of attacks comes > from the the way the DNS (and lets not even get into 'valid' SSL certs) is > designed. Not really. You're at least one layer too high. (not even going to question what "'valid' SSL certs" have to do with the DNS) > It is fundamentally flawed. I am sure there were plenty of political reasons > for it to have ended up this way instead of being done in a more robust > fashion? I suspect if you look at the number of queries per second the best TCP stacks could handle circa mid-1980s and compare that number to an average UDP stack, you might see an actual reason instead of conspiracy theories. > For all the gripes and complaints - all I see is complaints of the symptoms > and nobody calling out the original cause of the disease? You mean connectionless datagram transmission without validation of packet source? Regards, -drc