[dns-operations] Defending against DNS reflection amplification attacks

Jaroslav Benkovský jaroslav.benkovsky at nic.cz
Fri Feb 22 10:20:52 UTC 2013


On 02/20/2013 08:48 AM, Jan-Piet Mens wrote:
> FYI, a paper (Feb 2013) titled "Defending against DNS reflection
> amplification attacks" at [1].

Interesting. Since the problem with RRL at low NXDomain ratio is the
number of buckets, i.e. names queried, perhaps it would be possible to
limit the number of buckets by grouping names together for the purpose
of assigning the bucket?

E.g. a name server could adaptively assign names to a limited number of
groups so that each group gets roughly the same amount of qps (or total
sum of RRL score of the constituent domains) and then use the group id
instead of a name as a bucket key.

Or if this added complexity is too high, perhaps just (semi) random
assignment of group id to a name on zone reload would be sufficient.

Jaroslav Benkovsky




More information about the dns-operations mailing list