[dns-operations] Slow Drip DDOS Attack Research
Paul Vixie
paul at redbarn.org
Wed Nov 7 17:58:55 UTC 2018
from page 2 of the PDF:
> The Slow Drip attack is designed to target an authoritative name
> server. In its simplest form, a large volume of DNS requests are sent
> to open resolvers requesting the resolution IP (the A 8 record) of
> random subdomains of a registered domain. The random hostnames, or
> domain prefixes, serve the purpose of ensuring that the queries are
> forwarded to the authoritative name servers through the global DNS.
> As the requests cascade into the authoritative name servers, they
> return NXDOMAIN (rcode=3) responses, but ultimately the servers are
> overwhelmed.
this is why DNS Response Rate Limiting (DNS RRL) uses a smaller default
for negative limits than for positive ones. note, again, that the
defaults are carefully considered, and likely won't benefit from tuning.
http://www.redbarn.org/dns/ratelimits/
i also question whether open resolvers are truly nec'y for this attack.
opendns and google do a lot of rate limiting and have 24x7 human
coverage to detect anomalies. i have to assume that IBM and CloudFlare
do the same, or else we'd have heard about other amplification attacks
through those open recursives before now.
vixie
More information about the dns-operations
mailing list