[dns-operations] Configurable TC=1?

[Ralf Weber]

Moin!

On 25 Dec 2015, at 3:09, Paul Vixie wrote:
> On Thursday, December 24, 2015 12:22:41 PM Ralf Weber wrote:
>> My goal is to help people to mitigate attacks. For that I use all of 
>> the
>> available tools.
>
> every time we use an incrementally just-good-enough tool to stop 
> attackers, we educate
> them without demotivating them. please stop. the systemic defects in 
> the internet that make
> it insecure include the approach you are describing.
I assume that if we would design the Internet today we would do it 
differently, but we live in the Internet we have today and need to make 
it work somehow. Thinking about "political correct" defences might work 
when you look at it from an academic level, but not when your in the 
midst of fighting an attack. And to repeat not all DNS attacks can be 
mitigated by RRL. Rate limiters are just one tool.

>> There are scenarios where RRL just won't work as others have pointed
>> out.
>
> no. actually, what's been described are various bypasses that work 
> around RRL, all of which
> are far more expensive (in retooling costs) to attackers than shifting 
> to a completely different
> protocol (SSDP, ICMP, NTP, or TCP-SYN).
So what. This already happened. There are DNS attacks that only us a 
certain qps to fly below the rate limiter ratio, but use a wide variety 
of addresses or names depending on the algorithm. There are botnet based 
random subdomain attacks, that will bypass all protection we put in with 
answering TC or cookies at the authoriative severs as they will be run 
over legitimate resolvers. There also still is an army of over 14 
million open resolvers out there that might forward to ISP resolvers and 
even cache answers. Not all problems can be solved by RRL, but there are 
other tools/techniques that might help.

So long
-Ralf