[dns-operations] rate-limiting state

Colm MacCárthaigh colm at stdlib.net
Thu Feb 6 22:44:02 UTC 2014


On Thu, Feb 6, 2014 at 2:37 PM, Paul Vixie <paul at redbarn.org> wrote:

> For example, if the authoritative provider www.example.com were to
> implement RRL as you describe, then an attacker could spoof traffic
> purporting to be from Google Public DNS, OpenDNS, Comcast ... etc, and
> cause www.example.com to be un-resolvable by users of those resolvers.
>
>
> no. it just does not work that way.
>

O.k., so say I spoof 10M UDP queries per second and 10M TCP SYNs per second
purporting to be from OpenDNS's IP address. Does RRL  a)  Let the queries
and SYNs go answered. Or b) Rate limit the responses?

If it's (a) RRL doesn't prevent the reflection. If it's (b) then you
complete a denial of service attack against the OpenDNS users.

Which is it? or what's option (c)?

-- 
Colm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140206/a5aebfa3/attachment.html>


More information about the dns-operations mailing list