[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Paul Vixie paul at redbarn.org
Tue Sep 6 11:26:49 UTC 2016

Tony Finch wrote:
> Paul Vixie<paul at redbarn.org>  wrote:
>> your UDP load due to this attack that occurs via valid DNS clients would
>> be reduced by RRL by as much as 2/3rds depending on your RRL
>> configuration.
> AIUI RRL would have reduced our UDP response rate, which would have
> caused retries and therefore a higher UDP query rate. ...

i think you should try it. it's design to not do what you're describing.

>> i can publish the one line perl script that can do this to you or anybody from
>> anyplace on the Internet, if you think that would be safe for the onlookers.
> Even so, it is still useful to make my servers more robust against being
> collateral damage in an attack aimed at someone else, and it is good to
> make my servers less attractive for use in attacks on others.

no, it's not. you're doing far more work blocking ANY than the attacker 
would have to do to switch to a different qtype. in the unending game 
play of cybercat and cybermouse, that means you lose the current round.

blocking ANY is just silly.

P Vixie

More information about the dns-operations mailing list