[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Damian Menscher damian at google.com
Sun Sep 4 15:14:21 UTC 2016

On Sun, Sep 4, 2016 at 7:27 AM, Matthew Pounsett <matt at conundrum.com> wrote:
> On 4 September 2016 at 00:42, Roland Dobbins <rdobbins at arbor.net> wrote:
>> I understand that RRL can help in the case of amplification directly off
>>> authoritative servers, but I've never seen an attacker do that (or perhaps
>>> just didn't notice).
>> I see it quite frequently.
>> As someone who operates large authoritative infrastructures, I also see
> it quite frequently.   With RRL in place they are merely frequent attempts.
> Prior to RRL these were very successful attacks against other
> infrastructures.  Occasionally I'd see an attacker find a good enough
> packet source, and a good enough query string, to get enough outbound
> traffic to damage my performance as well as the actual target.  These
> attacks used to be daily, and large.

Thanks for the feedback... I'll start looking for these.  It's possible I
haven't seen them since our authoritative servers aren't good amplification
sources, and on the defense side we tend to not notice attacks unless
they're quite large.

To help me know what to look for, can someone give a sense of what "large"
means?  Not sure if you're thinking 1Mpps or 100Mpps here. ;)

Also, it sounds like you're suggesting they find a single authoritative
server to amplify off of, rather than distributing their attack across
hundreds/thousands of domains?  That seems likely to limit their peak
bandwidth unless the authoritative server is operated by a major provider,
which may be why I never noticed this method.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160904/fb482015/attachment.html>

More information about the dns-operations mailing list