[dns-operations] solutions for DDoS mitigation of DNS

Paul Vixie paul at redbarn.org
Thu Apr 2 19:54:42 UTC 2020


strong +1 here. recommended reading or re-reading.

On Thursday, 2 April 2020 17:23:22 UTC Fred Morris wrote:
> On Thu, 2 Apr 2020, Davey Song wrote:
> > I'm very confused that why people on the list are suggesting RRL (even
> > BCP38) to the victim of DoS attack?
> 
> The reason rate limiting, of any kind (not just DNS, not just UDP; TCP SYN
> for example), helps in a spoofed source attack is because it makes you a
> less nourishing host for the parasites and hopefully they eventually move
> on.
> 
> It also means that a persistent legitimate party is more likely to get an
> answer.
> 
> It also means that the true victim (behind the spoofed source address) is
> less likely to mitigate by blocking traffic from you (your legitimate
> source address when you reply).

-- 
Paul




More information about the dns-operations mailing list