[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Simon.Munton at communitydns.net
Wed Jun 22 08:23:39 UTC 2011
On 22/06/2011 09:14, Stephane Bortzmeyer wrote:
> Yes, rate-limiting outside of the name server seems reasonable. Now,
> did any big DNS operator use it for real? Successes and failures,
In many ways preferable to rate-limiting in the kernel than the DNS
server as you have avoided the context-switch required to pass the UDP
packet into user-space - only to drop it!
We have used it on the in-bound and found it to be quite effective.
It uses very little CPU to filter quite a large D/DoS - the IP being
attacked is still affected, but the other IPs on the same box are
Although our DNS server would have been capable of taking the attack and
answering all the queries anyway, the problem was caused by the fact the
the source IP was spoofed, so each reply we gave was followed by an ICMP
to say "I never asked you that".
By rate-limiting in the kernel you avoid the answer & ICMP, reducing the
packets on the line by two thirds.
Again, the problem was not our server, which could easily cope with the
traffic, but all those 1000's of tiny packets was causing the up-stream
router to melt.
More information about the dns-operations