[dns-operations] Slow Drip DDOS Attack Research

Paul Vixie paul at redbarn.org
Wed Nov 7 17:58:55 UTC 2018

from page 2 of the PDF:

> The Slow Drip attack is designed to target an authoritative name
> server. In its simplest form, a large volume of DNS requests are sent
> to open resolvers requesting the resolution IP (the A 8 record) of
> random subdomains of a registered domain. The random hostnames, or
> domain prefixes, serve the purpose of ensuring that the queries are
> forwarded to the authoritative name servers through the global DNS.
> As the requests cascade into the authoritative name servers, they
> return NXDOMAIN (rcode=3) responses, but ultimately the servers are
> overwhelmed.

this is why DNS Response Rate Limiting (DNS RRL) uses a smaller default 
for negative limits than for positive ones. note, again, that the 
defaults are carefully considered, and likely won't benefit from tuning.


i also question whether open resolvers are truly nec'y for this attack. 
opendns and google do a lot of rate limiting and have 24x7 human 
coverage to detect anomalies. i have to assume that IBM and CloudFlare 
do the same, or else we'd have heard about other amplification attacks 
through those open recursives before now.


More information about the dns-operations mailing list