[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

[Tony Finch]

Paul Vixie <paul at redbarn.org> wrote:
> Tony Finch wrote:
> > Paul Vixie<paul at redbarn.org>  wrote:
> > > blocking ANY wastes your time and annoys the pig. only protocol aware rate
> > > limiting, for example DNS RRL, will keep your authority server from being
> > > an
> > > attractive reflecting amplifier.
> >
> > RRL and minimal-any mitigate different kinds of attacks.
> >
> > minimal-any is useful for query floods from legitimate clients (e.g. if a
> > bunch of recursive servers are being used as amplifiers) because it avoids
> > pushing queries to TCP and overloading the authoritative server.
>
> what makes you think that DNS RRL pushes queries to TCP in a way that
> overloads the authority server?
>
> if DNS RRL did that, it would be bad design, no matter whether the repeated
> flows are dominated by queries from legitimate clients, or not.

I didn't say that it was RRL's fault that the queries were pushed to TCP :-)

In our case the problem was that a very large number of recursive servers
were being used as reflectors, and the spoofed queries were for a domain
hosted by us. So because they were legitimate clients, RRL was no help at
reducing the traffic on the authority servers. Fine, that's how it is
supposed to work.

The problem was that the responses bust the EDNS buffer size, so the
clients switched to TCP - lots of clients, enough to make the authorities
sad.

With both minimal-responses and minimal-any pretty much all UDP responses
fit within one packet. We're keen on that because we want to avoid
provoking middleboxes that don't like fragments.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Northwest Hebrides, Bailey: Cyclonic 5 to 7, becoming southwesterly 7 to
severe gale 9. Rough becoming high or very high. Occasional rain. Moderate or
poor, occasionally good.