In some mail from eric.prince@cox.net, sie said: [...] > The Resolution Theory > > The idea is simple. Usually, when a denial of service attack is > initiated against a target host, it's something like: > > # ./attack target.com > > In order to send the spoofed packets to target.com, the attackers > nameserver has to resolve its domain name to an IP address, and only > then can it inject the malicious packets. In theory, the nameservers > for target.com will receive packets originating from the true source > host of the attack or their nameserver. [...] An adjunct to this is that nearly all applications will only ever resolve a hostname _once_. So if ./attack will start an attack that lasts for 8 hours (say) but our DNS TTL is only 1 hour, we can change the IP# of target.com and the attack can be deflected. How low do you go with a TTL in DNS so you can react in this manner without pushing too much work back on to DNS ? Don't know. I'm sure this is well know, though ? Darren
