[dns-operations] First experiments with DNS dampening to fight amplification attacks

Lutz Donnerhacke lutz at iks-jena.de
Mon Sep 24 15:24:16 UTC 2012

* Miek Gieben wrote:
> 1. Why didn't you use: http://www.redbarn.org/dns/ratelimits ?

Because the remaining rate of attack is still high enough to cause problems.
We had a serious query from a lawyer of an small company which can't work
anymore because their 2Mbps line is saturated.

> 2. Will this scale to TLD sized DNS servers?

It's in a very early state of development. Currently I'm trying to collect
real world data to find a reasonable set of defaults.

With much conservative values, it might work for a TLD. But I do not
understand the problem space to claim anything.

Please feel free to try it out at you site and tell me about the results.

Paul, yes it drops all the responses in dampening state. It does it for a
very good reason: Even REFUSED messages are enough to run the attack.

More information about the dns-operations mailing list