[dns-operations] DNS ANY requests from Amazon?

Paul Vixie paul at redbarn.org
Tue Dec 18 15:25:24 UTC 2012

On 12/18/2012 7:55 AM, Stephane Bortzmeyer wrote:
> On Mon, Dec 17, 2012 at 08:17:18PM +0000,
>  Paul Vixie <paul at redbarn.org> wrote 
>  a message of 33 lines which said:
>> if you limit your request flows rather than your response flows,
>> then your only choice is: too low, where a legitimate client asking
>> a legitimately diverse set of questions, does not get reliable
>> service;
> In theory, you're right. In practice, the attacks of *today* are quite
> simple and quite separate from normal DNS traffic (nobody asks "ANY
> isc.org" in the real world, except the attackers).

any time spent matching on things like bufsize=9000 is worse than
wasted. even the lowest quality attacker can change it to 9001 at the
start of a long holiday weekend. my rule of thumb is, don't install
stuff that's not worth significant lab time up front. your attackers can
adapt; so must your defense.

> I appreciate the BIND RRL patch and it is obvious to me that we must
> continue the research in dDoS mitigation, but let's not drop the
> mitigations techniques that work *today*. (The attackers are not
> superhuman, they use imperfect techniques.)

when i said that setting the per-requestor quota high enough to avoid
false positives would give attackers enough capacity to cause real
injury, i'm speaking from direct experience with f-root. believe me when
i tell you, if we could solve this in the kernel, without a process
context switch, without a user mode data copy... we would. that is,
*today* we have attackers who can adapt to per-requestor quotas who have
not yet adapted to per-response-flow quotas.

>> see http://www.redbarn.org/dns/ratelimits for background, including
>> patches (which are not currently supported by ISC)
> In actual deployments, some people may be unwilling or unauthorized
> (corporate policy) to install "unofficial" patches on a production
> server. That's why we should not reject blindly the OS-level rate
> limiters (see my mini-HOWTO in this thread).

i encourage anyone who needs RRL in BIND and who can't run "patches" to
contact ISC and inquire about support options.


"When challenging a Kzin, a simple scream of rage will suffice. You scream and you leap." 

More information about the dns-operations mailing list