[dns-operations] rate-limiting state

Damian Menscher damian at google.com
Fri Feb 7 00:42:26 UTC 2014


On Thu, Feb 6, 2014 at 4:26 PM, Colm MacCárthaigh <colm at stdlib.net> wrote:

> I don't see anyone disputing my example, and I'm not calling out RRLs
> ability to dampen a reflection attack. I'm saying that RRL can be used to
> counter-attack your users.  Let's say a busy website gets 1,000 QPS of
> "real" user queries. If I want those queries to survive say with 2 retries,
> then I need to let through 40% of traffic to have a 95p confidence of them
> getting an answer. Yes, I'll have mitigated the reflection to 4Gbit/sec,
> but meanwhile users will be seeing increased resolution times and timeouts.


My recommendation (which Vixie and Vernon disagree with) is to use RRL with
slip=1 -- return TC=1 responses to all queries over the limit.  This
ensures your legitimate users can get through with a TCP request, rather
than having to attempt multiple retries before learning to retry over TCP.
 Does slip=1 address your concerns?

Of course TCP isn't perfect -- it has higher latency and per-connection
costs -- but at least it ensures your legitimate users can't be affected by
the RRL.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140206/a49051d3/attachment.html>


More information about the dns-operations mailing list