
How the Consumer Product Safety Commission Is Behind the Largest DDoS Attacks - jgrahamc
https://blog.cloudflare.com/how-the-consumer-product-safety-commission-is-inadvertently-behind-the-internets-largest-ddos-attacks/
======
degenerate
"How the Consumer Product Safety Commission Is Behind the Largest DDoS
Attacks"

=>

"How the Consumer Product Safety Commission's DNS Records Are Used in the
Largest DDoS Attacks"

FTFY

~~~
rmdoss
Very good article with the unnecessary click bait headline.

------
_--
"Consumer Product Safety Commission is behind...DDoS"

This sort of title suggests that intent is not important.

If we accept that as true, then we can make a few more observations.

 _DNSSEC is behind DDoS._

The large responses mandated by DNSSEC allow DNS to be used to DDoS.

People warned the DNSSEC proponents about this.

They ignored the warnings.

Because the intent of DNSSEC is something else besides DDoS. (What that
something is could be a controversial topic in itself.)

If DNSSEC and its users are behind DDoS, then _who is behind DNSSEC?_

What are they trying to achieve, what is the problem they hope to solve with
DNSSEC? Besides making DDoS easier.

A small group of people gets to ultimately decide what is and what is not a
"valid" or "authentic" domain name?

Why would anyone need something like that?

"DNS experts" over the years have been increasingly willing to admit that it's
reasonable to acknowledge that users could choose not to share a DNS cache
with anyone else. They could run their own cache bound to the loopback.

When this happens, does the user still need DNSSEC?

------
S_Daedalus
Well, that title was a little misleading, but it's still not an encouraging
tale. What's the fix here?

~~~
Animats
Maybe limit DNS queries with long answers to TCP. DNS servers speak both TCP
and UDP. With a UDP query, the source address can be faked, which causes the
results to be sent somewhere else. With TCP, the attacker can't make it
through the TCP handshake with a fake source address, because the attacker
isn't getting the replies.

