[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Matthew Pounsett matt at conundrum.com
Sun Sep 4 14:27:25 UTC 2016

On 4 September 2016 at 00:42, Roland Dobbins <rdobbins at arbor.net> wrote:

> I understand that RRL can help in the case of amplification directly off
>> authoritative servers, but I've never seen an attacker do that (or perhaps
>> just didn't notice).
> I see it quite frequently.
> As someone who operates large authoritative infrastructures, I also see it
quite frequently.   With RRL in place they are merely frequent attempts.

Prior to RRL these were very successful attacks against other
infrastructures.  Occasionally I'd see an attacker find a good enough
packet source, and a good enough query string, to get enough outbound
traffic to damage my performance as well as the actual target.  These
attacks used to be daily, and large.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160904/cee7a6a8/attachment.html>

More information about the dns-operations mailing list