[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Tony Finch
dot at dotat.at
Tue Sep 6 14:44:14 UTC 2016
Paul Vixie <paul at redbarn.org> wrote:
> Tony Finch wrote:
> >
> > AIUI RRL would have reduced our UDP response rate, which would have
> > caused retries and therefore a higher UDP query rate. ...
>
> i think you should try it. it's design to not do what you're describing.
I've been running it for years.
I was describing what is covered in section 4.1 of
http://ss.vix.su/~vixie/isc-tn-2012-1.txt
> > Even so, it is still useful to make my servers more robust against being
> > collateral damage in an attack aimed at someone else, and it is good to
> > make my servers less attractive for use in attacks on others.
>
> no, it's not. you're doing far more work blocking ANY than the attacker would
> have to do to switch to a different qtype. in the unending game play of
> cybercat and cybermouse, that means you lose the current round.
Sounds like a win to me! If an attacker uses my servers directly I have
RRL, and if they use my domains to bounce off a recursive server, their
amplification factor is much smaller, and I can refill the recursive
caches more cheaply.
If minimal-any is wrong, what should I have done instead?
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Trafalgar: Northerly 5 or 6 at first in north, otherwise variable, becoming
northwesterly later, 3 or 4. Moderate, occasionally slight in southeast. Fog
patches. Moderate or good, occasionally very poor.
More information about the dns-operations
mailing list