[dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool

Vernon Schryver vjs at rhyolite.com
Mon Jun 25 13:56:05 UTC 2012

From: Klaus Darilion <klaus.mailinglists at pernau.at> 

> Nice. But I wonder why there is a drop-down of outgoing packets
> during an amplification attack. I would expect that outgoing traffic
> is constant. Maybe, in this case also legitimate queries are blocked
> (false positive).

Why would false positives happen only while there are lots of true positives?

This rate limiting scheme is not an automatic IP address or domain
name ACL.  The only likely false positives are legitimte requests both
for the same records as the attack requests and from the same IP as
the forged requests.  If the reduction indicates false positives, then
the bad guys are forging requests that are from real clients and for
the same names, but not by themselves enough to the reach rate limit.
So I think the reduction could be false positives only if the attack
involves a lot of differing client IP addresses and some very popular

Note also that the graphs don't say whether a reduction in outgoing
packets happens during an attack without the rate limiting.  The
reasonable guess is that somewhere in the path from the real and
attacking clients up to and including the server there are bottlenecks
that let the attack hurt legitimate traffic, but we don't know
where.  Maybe the attack blocks legitimate requests in router or
firewalls between the server and legitimate clients.

From: Phil Regnauld <regnauld at nsrc.org>

} That's assuming all other clients are behaving properly in the
} first place, could be a non negligible number of malware generating
} this background noise. Their existence might be revealed by rate
} limitation.

Because this rate limiting scheme is not an automatic IP address
or name ACL, I don't understand how that might happen.  Why would
bad guys be continuing forging about 1 qps for the same clients and
name as during the real attack?

} But yes, it's worth digging. 

Agreed.  However, the obvious test of checking for a reduction in
legitimate responses during an attack would be hard (how could you
tell?) and unsavory.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list