[dns-operations] solutions for DDoS mitigation of DNS
ray at isc.org
Thu Apr 2 10:22:17 UTC 2020
On 02/04/2020 11:10, Davey Song wrote:
> I'm very confused that why people on the list are suggesting RRL (even
> BCP38) to the victim of DoS attack? If I remember correctly, the goal of
> both RRL and BCP38 is to reduce the chance of participating the attack
> as a innocent helper.
> In the introduce of RRL (https://kb.isc.org/docs/aa-01000) , it goes :
> "RRL helps mitigate DNS denial-of-service attacks by reducing the rate
> at which authoritative servers respond to high volumes of malicious
> queries. "
> Please correct me .
The OP described a spoofed-source amplification attack.
They are not the "victim", but the unwilling participant.
RRL is the correct solution for this class of attack.
More information about the dns-operations