[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Simon Munton Simon.Munton at communitydns.net
Wed Jun 22 08:06:29 UTC 2011

iptables --limit or --hashlimit ?

Off the top of my head, with --hashlimit I would think you could 
throttle the rate to any one destination IP - stopping you being used as 
the source of the attack (--hashlimit-dstmask)

On 22/06/2011 08:38, Stephane Bortzmeyer wrote:
> On Wed, Jun 22, 2011 at 07:17:06AM +0000,
>   Dobbins, Roland<rdobbins at arbor.net>  wrote
>   a message of 40 lines which said:
>> I've run into it in the wild - it's mentioned on p. 54 of the Arbor
>> 2010 WISR:
> Is there somewhere an existing list of practices which can be used by
> authoritative DNSSEC name servers to mitigate the problem? We use nsd
> and BIND which, as far as I know, have no rate-limiting
> features. Other ideas?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list