[dns-operations] Limiting DNSSEC-based amplification attacks

Jim Reid jim at rfc1035.com
Sat Jun 25 14:13:01 UTC 2011

On 24 Jun 2011, at 21:28, David Conrad wrote:

> Anyhow, the point is that rate limiting can be helpful in reducing  
> the threat of (some of the) amplification attacks.

True, though if this has to be done in the name server, it's pretty  
much a last resort. Like installing flood detectors in the top floor  
of a tall building. [I know of a place where the insurers demanded  
this, but I digress...]

IIUC some implementations -- PowerDNS? -- already keep a cache in wire  
format of recent answers they've sent. So it would be a no-brainer to  
extend that to do rate limiting. However it's not clear to me if the  
overhead of that cache maintenance and lookup would be worth it. The  
bad guy would probably still be capable of sending more queries to the  
server than it or its network pipe could handle. Still, it's worth a  
try and gathering some hard data.

More information about the dns-operations mailing list