[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

David Conrad drc at virtualized.org
Fri Jun 24 17:59:56 UTC 2011


John,

On Jun 24, 2011, at 7:26 AM, John Kristoff wrote:
>> In most cases I'm aware of (at least from my root server-ish days),
>> the "attack" (which may not be intentional) is sourced from a single
>> address.  However, I will admit not having looked at anything shorter.
> 
> In my experience, that is only the attack profile I've seen too, but I
> don't think we can count on miscreants to conform to past profiles.

The argument 'the miscreant will change tactics' could be used against pretty much any mitigation technique.  The real question is probably related to cost/benefit ratios. Ignoring the benefits to the authoritative server operator in ignoring a flood of repeat queries from the same source (i.e., not overwhelming outbound capacity), I personally think rate limiting would be an appropriate tool to help reduce the impact of amplification attacks at a relatively low cost.  Is it the ultimate solution?  Obviously not.  What alternatives are there?

Regards,
-drc




More information about the dns-operations mailing list