[ratelimits] error in amplification attack

Vernon Schryver vjs at rhyolite.com
Wed Nov 14 03:15:35 UTC 2012

> From: Andrew Sullivan <ajs at crankycanuck.ca>

> > Which overhead is meant, maintaining a list of valid TLDs or rate
> > limiting response to requests TLDs?  
> Surely both.  Neither is free.  REFUSED (and so on) all sounds to me
> cheaper than spinning up rate limiting infrastructure for a condition
> that could change in future when the relevant TLD gets delegated.

On the contrary, I think letting the RRL patches send neither a referral
nor an error response of REFUSED or NXDOMAIN is cheaper than spending
the CPU cycles and bandwidth to marshal and send the response.

> > A DNSSEC referral from the gTLD roots gives about amplification of
> > about 14X.
> What is a DNSSEC referral?  I don't think such referrals are signed,
> are they?

I doubt DNSSEC would be secure if referrals could be forged undetectably.

Try `dig +trace crankycanuck.ca` or 
`dig +dnssec crankycanuck.ca @a.root-servers.net` and notice the
RRSIG and NSEC RRs as well as the ~12X amplification.
http://stats.research.icann.org/dns/tld_report/ says that .ca is
not yet signed.  I guess that's why I can't get signatures from the
authorities for .ca for their referrals.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list