[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Dobbins, Roland rdobbins at arbor.net
Fri Jun 24 22:36:41 UTC 2011

On Jun 24, 2011, at 1:59 PM, David Conrad wrote:

> I personally think rate limiting would be an appropriate tool to help reduce the impact of amplification attacks at a relatively low cost.

All this does is ensure the attack-related queries get through, whilst the legitimate ones are crowded out, unfortunately.

>  Is it the ultimate solution?  Obviously not.  What alternatives are there?

As noted previous - query/answer analysis in order to determine what's being hammered, and then appropriate query-filtering action, and/or S/RTBH, and/or flowspec, and/or IDMS.

That's pretty much it, AFAIK.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde

More information about the dns-operations mailing list