[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Tony Finch dot at dotat.at
Sat Jun 25 19:07:30 UTC 2011


On 24 Jun 2011, at 19:42, David Miller <dmiller at tiggee.com> wrote:
> 
> Functionally?  I would welcome any mechanism that could reasonably detect / respond to this (other than active human intervention).  A state table will be overrun, using any current tech that I have seen, if you try to track state of queries from each source (e.g. any query for anything == +1 for queries from $source).  Now we are talking about tracking particular queries from each source.  This greatly expands the state table that couldn't be maintained in the smaller case.

Use a counting bloom filter indexed by a hash of the query source+name+type+class. If the count passes a threshold, don't reply. Zero the whole filter every minute or five.

Tony.
--
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/


More information about the dns-operations mailing list