[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

[Vernon Schryver]

> From: Olafur Gudmundsson <ogud at ogud.com>

> ...
>      If a traffic reducer turns on TC bit in its responses, then if no 
> TCP connection is completed during the next N seconds,
> the reducer can go to full drop mode.

Should the DNS RRL patch stop "slipping" truncated (TC=1) responses
if it seems that no TCP requests have been seen from the CIDR block
within "window" seconds?

 pro:
  - it would help answer concerns about contributing to the DoS attack,
     because some of the "slipped" responses are to forged requests.
  - surely some DNS reflection DoS CIDR block targets lack DNS
     servers and the truncated responses only harm them.

 con:
  - it's not strictly necessary and might not be justified by its
      code and potentical bugs.
  - the truncated responses are infrequent and small enough that
     they might not matter.
  - small reflection DoS targets might be sending fewer than 1 request
      per window seconds, and so would miss the false positive mitigation
      effects of the truncated responses.
  - even large reflection DoS targets might be sending fewer than 1 request
      per window seconds to most DoS reflectors and so would miss the
      false positive mitigation effects of the truncated responses.
  - for obvious as well as obscure implementation reasons, the "TCP seen"
      indicator would have a few errors in the "none seen" direction.

I've a detailed sketch of the necessary changes to the code, but
I'm inclined to forget them.

Opinions should probably be expressed in the RRL mailing list at
ratelimits at lists.redbarn.org or
http://lists.redbarn.org/mailman/listinfo/ratelimits
instead of the dns-operations mailing list.


Vernon Schryver    vjs at rhyolite.com