[dns-operations] correction about RRL leakage
paul vixie
paul at redbarn.org
Wed Sep 26 18:27:26 UTC 2012
On 9/26/2012 5:55 PM, glen wiley wrote:
> This seems like a degenerate case to me...there is a threshold below
> which attacks
> are no longer meaningful. For most name servers I suspect that an
> attack is only
> interesting at some rate well above 10's of qps.
>
> As a name server operator not only am I not likely to see anything odd
> in an attack
> like that, I really don't have the time or inclination to care about
> volumes in that
> range.
glen, i think you have to care. if someone is eliciting the same (or
effectively the same) response more than five times per second then that
response flow must be curtailed. last night by mistake i coined the term
'orbital death ray' to describe name servers who have no limits
governing what they'll respond to.
since DNS RRL merges all nxdomain responses under the same apex into one
virtual "response flow", this means your servers will cause slowdowns on
nonabusive flows like "look up the host name for every IP address i see
in my syslog". note, i mean slowdowns, not failures. DNS RRL drops
responses in ways designed to induce retries including TCP retries, so
that transactions still succeed if they're not from a spoofed IP source
address.
paul
More information about the dns-operations
mailing list