[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

David Conrad drc at virtualized.org
Fri Jun 24 20:28:17 UTC 2011


On Jun 24, 2011, at 8:42 AM, David Miller wrote:
> However, for rate based attacks against DNS itself, with IPv4 you could see up to ~3 billion possible "valid" (but not really) source addresses... with IPv6... forgetaboutit...  The same mechanisms must protect DNS servers against both simultaneously.

Hmm.  I'm not sure I see why a rate limiter would need to keep track of all IP addresses.  Wouldn't you only need to keep track of the addresses you responded to during the rate limit period?

Anyhow, the point is that rate limiting can be helpful in reducing the threat of (some of the) amplification attacks. What's the alternative?


More information about the dns-operations mailing list