[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

John Kristoff jtk at cymru.com
Fri Jun 24 17:02:28 UTC 2011


On Fri, 24 Jun 2011 05:45:58 -1000
David Conrad <drc at virtualized.org> wrote:

> Assume your authoritative server is getting hit with (say) 100 qps
> for the same name/type.  Of what possible benefit is responding to
> all but the first within a TTL?

There may be a role for some sort of query shunning strategy, but
dropping all answers to the same resolver source within the TTL may not
be the best strategy.  For instance, you probably don't know the state
of the resolver.  It may have crashed within the TTL, it may be reducing
the TTL it gets from you, which some resolvers will do or the answer may
simply have been lost in transit.

> I'm thinking rate limiting responses is a good thing.  The problem is
> that it requires more state.

While the maintenance of state at the server may pose challenges,
what state to keep may not be obvious.  For instance, if an attacker
wants to harm an entire subnet and not just a specific host what state
do you track? A /24 in IPv4? A /48, /56 or /64 in IPv6?

John



More information about the dns-operations mailing list