[dns-operations] First experiments with DNS dampening to fight amplification attacks

Dobbins, Roland rdobbins at arbor.net
Mon Oct 29 17:59:44 UTC 2012

On Oct 29, 2012, at 8:26 PM, Klaus Darilion wrote:

>  So, the result may not be perfect, but it is better  then no rules at all.

I'm not sure that this is a true statement.

If the rate-limiting is based upon source IPs, then there's potentially a lot of state there.  If the rate-limiting is based upon the destination IP, then it guarantees that programmatically-generated attack traffic will 'crowd out' legitimate requests.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list