[ratelimits] error in amplification attack

Vernon Schryver vjs at rhyolite.com
Tue Nov 13 22:49:27 UTC 2012

> From: Andrew Sullivan <ajs at anvilwalrusden.com>

> well-placed lawsuit, I think there's about an even chance that
> real-time registrations under some sort of checklist regime will
> happen.

How is maintaining a list of TLDs related to rate limiting (or not)
REFUSED responses from a DNS server that is authoritiative for neither
"." nor any TLD?

>                 I still don't understand how all this overhead is
> preferable to either sending a referral or an empty response, but
> probably I'm missing something.

Is an empty response what is commonly called a NODATA response, an
NXDOMAIN error response, or something else?  How would a NODATA
response or anything other than REFUSED, NXDOMAIN, a referral, or
a complete response be provoked?

Why should a DNS server that is authoritiative for neither "." nor
any TLD and not an intentionally open public server like those of
OpenDNS or Google send anything but a REFUSED error response to
strange DNS clients?

Which overhead is meant, maintaining a list of valid TLDs or rate
limiting response to requests TLDs?  If it is rate limiting, then
please note that amplification is not required for DNS reflections to
be useful in a denial of service attack.  Reflecting a few Gbit/sec
of traffic off thousands of poorly maintained and monitored open DNS
servers sounds useful for obscuring the original sources of an attack.
That is true whether the reflected traffic consists of small error
responses such as NXDOMAIN or REFUSED or larger referrals.

A DNSSEC referral from the gTLD roots gives about amplification of
about 14X.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list