[dns-operations] rate-limiting state

Paul Vixie paul at redbarn.org
Thu Feb 6 22:37:00 UTC 2014



Colm MacCárthaigh wrote:
>
> Your article mentions RRL and asymmetric threats,  but does not
> mention that RRL opens the implementor up to a new asymmetric threat.
> With RRL, an attacker can spoof legitimate clients and cause the RRL
> implementation to deny them service. 

no.

>
> For example, if the authoritative provider www.example.com
> <http://www.example.com> were to implement RRL as you describe, then
> an attacker could spoof traffic purporting to be from Google Public
> DNS, OpenDNS, Comcast ... etc, and cause www.example.com
> <http://www.example.com> to be un-resolvable by users of those
> resolvers. 

no. it just does not work that way.

>
> The more widely RRL is applied to more protocols and schemes, the more
> they are vulnerable to this same simple counter-attack. It seems like
> setting the internet up with a brittle component that may ultimately
>  makes spoofing-based denial of service easier, not harder. This
> creates additional risk on the implementor at very little benefit to
> themselves, which still seems asymmetric.

dns rrl is a protocol-specific approach to rate limiting, for dns, based
on responses.

as i said in the ACM Queue article, every protocol we want to rate limit
is going to need a protocol-specific, protocol-aware method of rate
limiting. we must not create new vulnerabilities as a side effect of
closing old ones.

vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140206/d1af46a2/attachment.html>


More information about the dns-operations mailing list