[dns-operations] DNS ANY requests from Amazon?

Matt Rowley matt at arin.net
Tue Dec 18 18:59:05 UTC 2012


On Dec 17, 2012, at 3:17 PM, Paul Vixie wrote:

>> There is a patch available for rate-limiting inside BIND.
> 
> see http://www.redbarn.org/dns/ratelimits for background, including
> patches (which are not currently supported by ISC) and a technical note
> (which looks a bit like an RFC that some day i hope RRL will deserve.)

For what it's worth, ARIN also came under an amplification attack recently.  This was early last month.  They were querying the heck out of ripe.net for which we provide secondary service.  It's a nice, signed zone that's chunky on the outbound.
We were able to completely mitigate the attack using Schryver & Vixie's ratelimiter BIND patch.  It's working quite well for us.

cheers,
Matt


More information about the dns-operations mailing list