[dns-operations] Configurable TC=1?
dns at fl1ger.de
Sun Dec 27 23:11:06 UTC 2015
On 25 Dec 2015, at 3:09, Paul Vixie wrote:
> On Thursday, December 24, 2015 12:22:41 PM Ralf Weber wrote:
>> My goal is to help people to mitigate attacks. For that I use all of
>> available tools.
> every time we use an incrementally just-good-enough tool to stop
> attackers, we educate
> them without demotivating them. please stop. the systemic defects in
> the internet that make
> it insecure include the approach you are describing.
I assume that if we would design the Internet today we would do it
differently, but we live in the Internet we have today and need to make
it work somehow. Thinking about "political correct" defences might work
when you look at it from an academic level, but not when your in the
midst of fighting an attack. And to repeat not all DNS attacks can be
mitigated by RRL. Rate limiters are just one tool.
>> There are scenarios where RRL just won't work as others have pointed
> no. actually, what's been described are various bypasses that work
> around RRL, all of which
> are far more expensive (in retooling costs) to attackers than shifting
> to a completely different
> protocol (SSDP, ICMP, NTP, or TCP-SYN).
So what. This already happened. There are DNS attacks that only us a
certain qps to fly below the rate limiter ratio, but use a wide variety
of addresses or names depending on the algorithm. There are botnet based
random subdomain attacks, that will bypass all protection we put in with
answering TC or cookies at the authoriative severs as they will be run
over legitimate resolvers. There also still is an army of over 14
million open resolvers out there that might forward to ISP resolvers and
even cache answers. Not all problems can be solved by RRL, but there are
other tools/techniques that might help.
More information about the dns-operations