[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

[Simon Munton]

On 22/06/2011 09:14, Stephane Bortzmeyer wrote:
 > Yes, rate-limiting outside of the name server seems reasonable. Now,
 > did any big DNS operator use it for real? Successes and failures,
 > anyone?

In many ways preferable to rate-limiting in the kernel than the DNS 
server as you have avoided the context-switch required to pass the UDP 
packet into user-space - only to drop it!

We have used it on the in-bound and found it to be quite effective.

It uses very little CPU to filter quite a large D/DoS - the IP being 
attacked is still affected, but the other IPs on the same box are 
unaffected.

Although our DNS server would have been capable of taking the attack and 
answering all the queries anyway, the problem was caused by the fact the 
the source IP was spoofed, so each reply we gave was followed by an ICMP 
to say "I never asked you that".

By rate-limiting in the kernel you avoid the answer & ICMP, reducing the 
packets on the line by two thirds.

Again, the problem was not our server, which could easily cope with the 
traffic, but all those 1000's of tiny packets was causing the up-stream 
router to melt.