[dns-operations] responding to spoofed ANY queries

Frank Bulk frnkblk at iname.com
Thu Jan 17 02:15:27 UTC 2013 

Perhaps the ratio could be a dynamic whitelist -- if it's 1.5 or less, then
allow the response to go out.

Frank

-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net
[mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Vernon
Schryver
Sent: Sunday, January 13, 2013 4:52 PM
To: dns-operations at lists.dns-oarc.net
Subject: Re: [dns-operations] responding to spoofed ANY queries

> From: Jim Reid <jim at rfc1035.com>

> I suppose a name server could keep a (small?) cache of recently
> marshalled answers and use that to either rate limit responses which
> are too large or identical to one that has recently been sent to the
> same IP address(es). [For some definition of large and recent.]

A problem with that thought is what I tried to state before, that there
is no definition of "large" that is small enough to permit an exemption
from rate limiting but not so small that it keeps mininimal DNS responses
rate limited.
For example, seems that <random>.rfc1035.com to your 93.186.33.42 is
good for a 2X amplified stream of NXDMOAINS.  2X is small but too high
for DoS victims to tolerate.  I trust you will eventually turn on
DNSSEC, which will probably boost your amplification of random requests
well above 5X.

>                                                                  It
> could be good to have something which rate limits outgoing responses
> in addition to what's done with incoming queries.

Please recall that RRL stands for *response* rate limiting and neither
*query* rate limiting nor *client* rate limiting.  The differences are
significant.

Among those differences is one that wrecks the goal of turning off
RRL for those mythical small enough to not be amplified responses.
Because RRL is about rate limiting responses instead of clients,
there is few or no good reasons to turn it off for large or small
legitimate responses.  Legitimate responses are not frequently
repeated and so don't get dropped except in rare or dubious scenarios.


Vernon Schryver    vjs at rhyolite.com
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list