[dns-operations] rate-limiting state
David C Lawrence
tale at akamai.com
Fri Feb 7 15:14:57 UTC 2014
Tony Finch writes:
> At that point the name server itself is the victim, and there isn't
> anything it can do about the attack - DDoS mitigation has to happen well
> upstream of the victim.
Well, it's *a* victim, if not the intended target. As someone who
runs servers behind a small pipe (and recently had the pipe collapse
thanks to an NTP reflection targeted at someone else) I definitely
agree with you.
As a supporter of RRL, I'll point out that even with overwhelming
inbound attack traffic RRL will still help so "isn't anything it can
do about the attack" is too bleak.
More information about the dns-operations