[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Paul Vixie
paul at redbarn.org
Wed Sep 7 11:44:54 UTC 2016
Tony Finch wrote:
> Paul Vixie<paul at redbarn.org> wrote:
>> Tony Finch wrote:
>>> AIUI RRL would have reduced our UDP response rate, which would have
>>> caused retries and therefore a higher UDP query rate. ...
>> i think you should try it. it's design to not do what you're describing.
>
> I've been running it for years.
i meant try the specific attack you're worrying about. it should not
behave the way you're worrying it will behave.
>
> I was describing what is covered in section 4.1 of
> http://ss.vix.su/~vixie/isc-tn-2012-1.txt
i do not expect the real clients to repeat their queries more than once
per TTL. statistically that means you won't see many UDP-to-TCP upgrades
as a result of the TC=1 responses you're sending out.
> If minimal-any is wrong, what should I have done instead?
nothing. treat ANY as strategically valuable attack-signature that is
presently useful in traceback activities, and must be preserved for that
purpose, unless you can move us to an end-game scenario where there is
no obvious next move for the bad guys.
--
P Vixie
More information about the dns-operations
mailing list