Could Switching DNS to TCP Only Prevent Amplification DDoS Attacks?

Could Switching DNS to TCP Only Prevent Amplification DDoS Attacks?

The Scenario:

Spamhaus, a renowned anti-spamming organization, recently faced a massive DDoS attack utilizing various methods, including DNS amplification. The attackers exploited third-party DNS servers that responded to any DNS query. They then bombarded these servers with spoofed DNS queries, forging the source address to be Spamhaus's web server IP. These queries were crafted to elicit responses much larger than the initial request, amplifying the attack's impact and overwhelming Spamhaus's server.

The Question:

DNS servers currently use UDP for queries. Would switching to TCP only (ignoring all UDP packets) make the DNS amplification attack described above easier, harder, or have no effect?

The Answer:

3) The attack would be harder.

Justification:

TCP, unlike UDP, is connection-oriented, requiring a three-way handshake before data transfer. This means attackers would need to establish a connection with the DNS server before sending queries, making it harder to spoof the source address.

Furthermore, TCP's reliability ensures guaranteed packet delivery. Spoofed packets sent by attackers would likely be detected and dropped during the handshake process or due to TCP's error-checking mechanisms. The attackers would be forced to use their own IP addresses, making the attack far easier to trace and mitigate.

In conclusion: While not a silver bullet, switching DNS to TCP only could significantly hinder DNS amplification attacks by introducing the hurdle of connection establishment and leveraging TCP's inherent reliability for better attack detection.