DNSCurve: Usable security for DNS
Introduction
DNS users:
Why DNSCurve?
Installing DNSCurve
DNS data managers:
Why DNSCurve?
Installing DNSCurve
DNS implementors:
Caches
Forwarders
Protocol designers:
Cryptography
DNS integration
Attackers:
Forgery
Negative forgery
Replays
Query espionage
Database espionage
+ nsec3walker
CPU flooding
Amplification
+ dnssecamp

CPU flooding

This page is under construction.

How many Mbps of traffic are required to overload a DNS server's CPU, when an attacker maliciously chooses traffic to create as much CPU load as possible? This page is intended to report the results of publicly verifiable CPU-denial-of-service tests against (1) DNSSEC servers and (2) DNSCurve servers.

Some initial notes:

  • DNSSEC was designed to offload all cryptographic work from busy servers. However, DNSSEC makes DNS databases several times larger, decreasing the effectiveness of server caches. Furthermore, negative DNSSEC responses require extensive on-line computation.
  • DNSCurve keeps databases small, and does not require any special handling for negative responses, but requires some cryptographic work for every packet.

Version

This is version 2009.07.06 of the cpu.html web page.