[dns-operations] First experiments with DNS dampening to fight amplification attacks
Dobbins, Roland
rdobbins at arbor.net
Mon Oct 29 10:13:55 UTC 2012
On Oct 29, 2012, at 4:28 PM, Klaus Darilion wrote:
> We apply iptables based rate-limiting on ANY queries with RD bit set.
The problem with fronting your DNS servers with a stateful firewall is that it makes it susceptible to trivial state-exhaustion attacks. This is not a good idea.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the dns-operations
mailing list