[dns-operations] rate-limiting state

Patrick W. Gilmore patrick at ianai.net
Fri Feb 7 14:40:48 UTC 2014


On Feb 7, 2014, at 9:16, Tony Finch <dot at dotat.at> wrote:
> Patrick W. Gilmore <patrick at ianai.net> wrote:
>>> On Feb 07, 2014, at 07:09 , Tony Finch <dot at dotat.at> wrote:
>>> 
>>> If my busy name server is getting 1000 qps of real traffic from all over
>>> the net, and 1000 qps of attack traffic "from" some victim, then RRL will
>>> attenuate responses to the victim without affecting other users.
>>> 
>>> In the absence of RRL, the victim will be denied service by overwhelming
>>> traffic. In the presence of RRL the victim might have slightly slower DNS
>>> resolution.
>> 
>> Not just the victim.
> 
> What not just the victim? In the absence of RRL the DDoS attack is likely
> to cause collateral damage, yes. In the presence of RRL non-victims are
> unaffected as long as the attack isn't overwhelming the name server.

You said: "In the absence of RRL, the victim will be denied service by overwhelming traffic."

I was saying more than the victim would be hurt in the absence of RRL. The other users of the amp server very likely would be affected through resource exhaustion. Users between the amp & victim as the amp attack makes its way through the Internet. Etc., etc.

My guess is you agree with those statements. Sorry if this wasn't clear originally.

-- 
TTFN,
patrick




More information about the dns-operations mailing list