[dns-operations] Slow Drip DDOS Attack Research
Paul Vixie
paul at redbarn.org
Wed Nov 7 18:42:03 UTC 2018
Renee Burton wrote:
> Paul,
>
> I'm not sure how to interpret the RRL comments; ...
RRL is a token credit scheme bucketized by {SOA,CIDR} where the default
size of a CIDR is a /24 (IPv4) or /56 (IPv6). different response types
are allowed to have different per-bucket credit limits. NXDOMAIN's
default limit it lower than RCODE=0's default limit. this is because of
random subdomain attacks.
diffusion is still the way to beat RRL.
radically small limits on recursives, such as 0 for off-net requests, is
the way to beat randomized subdomains.
radically small limits on authoritatives, targeted at recursives who
don't have a radically small enough limit on their queries, is the way
to cause more recursives to have radically smaller limits, such as 0 for
off-net requests.
it's not whack-a-mole all the way down, in other words. just, right now.
thanks for writing and sharing your research.
--
P Vixie
More information about the dns-operations
mailing list