[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Tony Finch
dot at dotat.at
Sat Jun 25 19:07:30 UTC 2011
On 24 Jun 2011, at 19:42, David Miller <dmiller at tiggee.com> wrote:
>
> Functionally? I would welcome any mechanism that could reasonably detect / respond to this (other than active human intervention). A state table will be overrun, using any current tech that I have seen, if you try to track state of queries from each source (e.g. any query for anything == +1 for queries from $source). Now we are talking about tracking particular queries from each source. This greatly expands the state table that couldn't be maintained in the smaller case.
Use a counting bloom filter indexed by a hash of the query source+name+type+class. If the count passes a threshold, don't reply. Zero the whole filter every minute or five.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
More information about the dns-operations
mailing list