[dns-operations] solutions for DDoS mitigation of DNS

Ray Bellis ray at isc.org
Thu Apr 2 10:22:17 UTC 2020



On 02/04/2020 11:10, Davey Song wrote:
> I'm very confused that why people on the list are suggesting RRL (even
> BCP38) to the victim of DoS attack? If I remember correctly, the goal of
> both RRL and BCP38 is to reduce the chance of participating the attack
> as a innocent helper.
> 
> In the introduce of RRL (https://kb.isc.org/docs/aa-01000)  , it goes :
> "RRL helps mitigate DNS denial-of-service attacks by reducing the rate
> at which authoritative servers respond to high volumes of malicious
> queries. "  
> 
> Please correct me .

The OP described a spoofed-source amplification attack.

They are not the "victim", but the unwilling participant.

RRL is the correct solution for this class of attack.

Ray



More information about the dns-operations mailing list