[dns-operations] DNS ANY requests from Amazon?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Dec 18 07:55:20 UTC 2012

On Mon, Dec 17, 2012 at 08:17:18PM +0000,
 Paul Vixie <paul at redbarn.org> wrote 
 a message of 33 lines which said:

> if you limit your request flows rather than your response flows,
> then your only choice is: too low, where a legitimate client asking
> a legitimately diverse set of questions, does not get reliable
> service;

In theory, you're right. In practice, the attacks of *today* are quite
simple and quite separate from normal DNS traffic (nobody asks "ANY
isc.org" in the real world, except the attackers).

I appreciate the BIND RRL patch and it is obvious to me that we must
continue the research in dDoS mitigation, but let's not drop the
mitigations techniques that work *today*. (The attackers are not
superhuman, they use imperfect techniques.)

> OS-level rate limiting also lacks the ability to insert TC=1
> responses on a statistical basis, thus transforming rate limiting
> into transaction delay rather than transaction loss.


> see http://www.redbarn.org/dns/ratelimits for background, including
> patches (which are not currently supported by ISC)

In actual deployments, some people may be unwilling or unauthorized
(corporate policy) to install "unofficial" patches on a production
server. That's why we should not reject blindly the OS-level rate
limiters (see my mini-HOWTO in this thread).

More information about the dns-operations mailing list