[dns-operations] question for DNS being attacked
Paul Vixie
paul at redbarn.org
Thu Jun 28 05:07:05 UTC 2012
On 2012-06-28 4:04 AM, Michael Hoskins (michoski) wrote:
> ...or even firewall based rate limiting like iptables or dummynet.
>
> http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
we've used dummynet on f-root for many years now. it has a
barely-tolerable false positives problem, in that a stream of legitimate
queries from a real client can be significantly impacted, leading to
application slowdowns. the weaknesses in this approach led to DNS RRL,
which takes account not only of the purported source address, but of the
prospective response to the query. it's the combination of source
address and prospective response that helps tell friendly flows from
unfriendly ones with a low false positive rate.
paul
More information about the dns-operations
mailing list