[dns-operations] Limiting DNSSEC-based amplification attacks
Jim Reid
jim at rfc1035.com
Sat Jun 25 14:13:01 UTC 2011
On 24 Jun 2011, at 21:28, David Conrad wrote:
> Anyhow, the point is that rate limiting can be helpful in reducing
> the threat of (some of the) amplification attacks.
True, though if this has to be done in the name server, it's pretty
much a last resort. Like installing flood detectors in the top floor
of a tall building. [I know of a place where the insurers demanded
this, but I digress...]
IIUC some implementations -- PowerDNS? -- already keep a cache in wire
format of recent answers they've sent. So it would be a no-brainer to
extend that to do rate limiting. However it's not clear to me if the
overhead of that cache maintenance and lookup would be worth it. The
bad guy would probably still be capable of sending more queries to the
server than it or its network pipe could handle. Still, it's worth a
try and gathering some hard data.
More information about the dns-operations
mailing list