[dns-operations] Slow Drip DDOS Attack Research

Paul Vixie paul at redbarn.org
Wed Nov 7 18:42:03 UTC 2018

Renee Burton wrote:
> Paul,
> I'm not sure how to interpret the RRL comments; ...

RRL is a token credit scheme bucketized by {SOA,CIDR} where the default 
size of a CIDR is a /24 (IPv4) or /56 (IPv6). different response types 
are allowed to have different per-bucket credit limits. NXDOMAIN's 
default limit it lower than RCODE=0's default limit. this is because of 
random subdomain attacks.

diffusion is still the way to beat RRL.

radically small limits on recursives, such as 0 for off-net requests, is 
the way to beat randomized subdomains.

radically small limits on authoritatives, targeted at recursives who 
don't have a radically small enough limit on their queries, is the way 
to cause more recursives to have radically smaller limits, such as 0 for 
off-net requests.

it's not whack-a-mole all the way down, in other words. just, right now.

thanks for writing and sharing your research.

P Vixie

More information about the dns-operations mailing list