On Oct 1, 2007, at 10:10 AM, Jeffrey Hutzelman wrote:
No; the blame for an attack _always_ lies with the attacker, not the victim. While I certainly wish more network providers would implement BCP 38, those who fail to do so are not to blame for the bad acts of others.
Given the reality with bots et al. today, most of the attacking systems are actually victims themselves.
It does, but normally only responses which are too long for UDP require the use of TCP. A recursive nameserver could mitigate this type of attack by lowering the maximum response size it is willing to send via UDP, forcing the use of TCP and thus a three-way handshake for larger responses. The tricky part is that setting the threshold too low can have serious performance impact.
Note that in real deployments just this behavior has broken things on occasion, as many firewall and other such policy application points assume things like DNS resolution will only be UDP/53 transactions. YMMV. -danny _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf