[dns-operations] solutions for DDoS mitigation of DNS
Paul Vixie
paul at redbarn.org
Thu Apr 2 19:54:42 UTC 2020
strong +1 here. recommended reading or re-reading.
On Thursday, 2 April 2020 17:23:22 UTC Fred Morris wrote:
> On Thu, 2 Apr 2020, Davey Song wrote:
> > I'm very confused that why people on the list are suggesting RRL (even
> > BCP38) to the victim of DoS attack?
>
> The reason rate limiting, of any kind (not just DNS, not just UDP; TCP SYN
> for example), helps in a spoofed source attack is because it makes you a
> less nourishing host for the parasites and hopefully they eventually move
> on.
>
> It also means that a persistent legitimate party is more likely to get an
> answer.
>
> It also means that the true victim (behind the spoofed source address) is
> less likely to mitigate by blocking traffic from you (your legitimate
> source address when you reply).
--
Paul
More information about the dns-operations
mailing list