[dns-operations] rate-limiting state
David C Lawrence
tale at akamai.com
Fri Feb 7 14:49:58 UTC 2014
Tony Finch writes:
> Patrick W. Gilmore <patrick at ianai.net> wrote:
> > On Feb 07, 2014, at 07:09 , Tony Finch <dot at dotat.at> wrote:
> > > If my busy name server is getting 1000 qps of real traffic from all over
> > > the net, and 1000 qps of attack traffic "from" some victim, then RRL will
> > > attenuate responses to the victim without affecting other users.
> > >
> > > In the absence of RRL, the victim will be denied service by overwhelming
> > > traffic. In the presence of RRL the victim might have slightly slower DNS
> > > resolution.
> > Not just the victim.
> What not just the victim? In the absence of RRL the DDoS attack is likely
> to cause collateral damage, yes. In the presence of RRL non-victims are
> unaffected as long as the attack isn't overwhelming the name server.
Maybe Patrick glossed over the mere "1000 qps", which for many (most?
hand-waving) operators doesn't even blip as an attack. At the
attack-level traffic to which he is accustomed, the inbound requests
can easily surpass the server's ability to generate responses even if
it ends up not sending most of them.
More information about the dns-operations