[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
David Conrad
drc at virtualized.org
Fri Jun 24 17:19:27 UTC 2011
On Jun 24, 2011, at 7:02 AM, John Kristoff wrote:
> There may be a role for some sort of query shunning strategy, but
> dropping all answers to the same resolver source within the TTL may not
> be the best strategy.
Right. Not suggesting that. I'm suggesting that there should be some threshold at which responding to queries becomes detrimental.
>> I'm thinking rate limiting responses is a good thing. The problem is
>> that it requires more state.
>
> While the maintenance of state at the server may pose challenges,
> what state to keep may not be obvious. For instance, if an attacker
> wants to harm an entire subnet and not just a specific host what state
> do you track? A /24 in IPv4? A /48, /56 or /64 in IPv6?
In most cases I'm aware of (at least from my root server-ish days), the "attack" (which may not be intentional) is sourced from a single address. However, I will admit not having looked at anything shorter.
Regards,
-drc
More information about the dns-operations
mailing list