[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Simon Munton
Simon.Munton at communitydns.net
Wed Jun 22 08:06:29 UTC 2011
iptables --limit or --hashlimit ?
Off the top of my head, with --hashlimit I would think you could
throttle the rate to any one destination IP - stopping you being used as
the source of the attack (--hashlimit-dstmask)
On 22/06/2011 08:38, Stephane Bortzmeyer wrote:
> On Wed, Jun 22, 2011 at 07:17:06AM +0000,
> Dobbins, Roland<rdobbins at arbor.net> wrote
> a message of 40 lines which said:
>
>> I've run into it in the wild - it's mentioned on p. 54 of the Arbor
>> 2010 WISR:
>
> Is there somewhere an existing list of practices which can be used by
> authoritative DNSSEC name servers to mitigate the problem? We use nsd
> and BIND which, as far as I know, have no rate-limiting
> features. Other ideas?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list