[dns-operations] DNS ANY requests from Amazon?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Dec 18 07:55:20 UTC 2012
On Mon, Dec 17, 2012 at 08:17:18PM +0000,
Paul Vixie <paul at redbarn.org> wrote
a message of 33 lines which said:
> if you limit your request flows rather than your response flows,
> then your only choice is: too low, where a legitimate client asking
> a legitimately diverse set of questions, does not get reliable
> service;
In theory, you're right. In practice, the attacks of *today* are quite
simple and quite separate from normal DNS traffic (nobody asks "ANY
isc.org" in the real world, except the attackers).
I appreciate the BIND RRL patch and it is obvious to me that we must
continue the research in dDoS mitigation, but let's not drop the
mitigations techniques that work *today*. (The attackers are not
superhuman, they use imperfect techniques.)
> OS-level rate limiting also lacks the ability to insert TC=1
> responses on a statistical basis, thus transforming rate limiting
> into transaction delay rather than transaction loss.
Yes.
> see http://www.redbarn.org/dns/ratelimits for background, including
> patches (which are not currently supported by ISC)
In actual deployments, some people may be unwilling or unauthorized
(corporate policy) to install "unofficial" patches on a production
server. That's why we should not reject blindly the OS-level rate
limiters (see my mini-HOWTO in this thread).
More information about the dns-operations
mailing list