[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

David Conrad drc at virtualized.org
Fri Jun 24 17:19:27 UTC 2011

On Jun 24, 2011, at 7:02 AM, John Kristoff wrote:
> There may be a role for some sort of query shunning strategy, but
> dropping all answers to the same resolver source within the TTL may not
> be the best strategy.  

Right.  Not suggesting that.  I'm suggesting that there should be some threshold at which responding to queries becomes detrimental.

>> I'm thinking rate limiting responses is a good thing.  The problem is
>> that it requires more state.
> While the maintenance of state at the server may pose challenges,
> what state to keep may not be obvious.  For instance, if an attacker
> wants to harm an entire subnet and not just a specific host what state
> do you track? A /24 in IPv4? A /48, /56 or /64 in IPv6?

In most cases I'm aware of (at least from my root server-ish days), the "attack" (which may not be intentional) is sourced from a single address.  However, I will admit not having looked at anything shorter.


More information about the dns-operations mailing list