[dns-operations] bind-9.9.3rc2 ANY+TCP patch
Vernon Schryver
vjs at rhyolite.com
Thu May 16 12:54:18 UTC 2013
> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
> >> https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0
> >>
> >> Page #12
> > I also wonder about the definition of "false positive." There are many
> > plausible candidates.
>
> I agree. Basically it is a query from an attacker that is not being
> dropped.
That sounds like a "false negative" instead of a "false positive."
A "false positive" would be dropping or "slipping" a legitimate or
non-attack query.
A "true positive" is correctly identifying and dealing with an
attack packet.
A "true negative" is correctly identifying and not harming a
non-attack packet.
https://www.google.com/search?q=false+positive
http://www.mathsisfun.com/data/probability-false-negatives-positives.html
https://en.wikipedia.org/wiki/Type_I_and_type_II_errors
Perhaps "Slip 1" on page #12 refers to the RRL parameter. If I assume
"False positives" means "truncated responses" (which are true positives
instead of false positives), then all of the table except the "TCP
responses" column makes sense. I have no idea what "TCP response"
column means.
> I know it has more to it than that. It might be a good idea to
> define the term in the technical note. I can write some initial text, if
> that is appreciated.
I would a appreciate a few words here.
I don't understand the graphs and tables, but I agree with the
conclusions on page #20.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations
mailing list