[dns-operations] DNS ANY record queries - Reflection Attacks

Eric Osterweil eosterweil at verisign.com
Tue Sep 11 14:21:17 UTC 2012 

On Sep 11, 2012, at 1:40 AM, Paul Vixie wrote:

> On 2012-09-11 5:36 AM, Mohamed Lrhazi wrote:
>> Nope. I have not, and am not using BIND unfortunately. But I guess you
>> are saying: Limit responses to any client to some number per some time
>> window.
>> 
>> What would be an appropriate number, per what time window, to be
>> effective and lesser the chances of false positives?
> 
> the defaults are round numbers (10 similar responses per second per v4
> /24 or v6 /56, keep history for five seconds) and are shockingly
> effective. Important Note: it's not responses per client, but rather,
> responses per client network per response type, that must be limited.
> you can't do the right thing in a firewall or other in-path device, you
> get too many false negatives and false positives that way. the proposed
> response is how you bucketize safely.
> 
> i'll be happy to describe DNS RRL to your non-BIND implementor if they
> want to know more about it. it's totally open, both the concept and the
> implementation in C for BIND are BSD-licensed.


Hey all, I think it's great that we are rallying (as a community) to find ways to address these DNS-based DDoS attacks, but I'm a little worried about this specific way we are proposing to do it.  That is, I think I either don't understand RRL, or I _do_ understand it, and worry about the correctness of the overall approach.

So, can I just make sure I understand the RRL idea?  If, under non-attack circumstances, I get a traffic rate of `r' from a given subnet, but an amplification attack sends me `99*r' (causing a total traffic rate of `100*r'), then I should rate limit?  So, my back of the envelope calculation says that I will reward the attack traffic over the non-attack traffic.  That is, if I limit the response rate back down to `r', then I will drop 99/100 responses to reach that target.  My legitimate client (subnet) has only about a 1/100 chance of getting each query answered here (all other response slots are given to my adversary)... I think rate limiting is kind of the wrong direction.  Did I misunderstand some aspect?

Also, when you say, ``shockingly effective,'' how can we measure effectiveness, in order to verify the approach?

Thanks,

Eric

More information about the dns-operations mailing list