[ratelimits] error in amplification attack
vjs at rhyolite.com
Wed Nov 14 03:15:35 UTC 2012
> From: Andrew Sullivan <ajs at crankycanuck.ca>
> > Which overhead is meant, maintaining a list of valid TLDs or rate
> > limiting response to requests TLDs?
> Surely both. Neither is free. REFUSED (and so on) all sounds to me
> cheaper than spinning up rate limiting infrastructure for a condition
> that could change in future when the relevant TLD gets delegated.
On the contrary, I think letting the RRL patches send neither a referral
nor an error response of REFUSED or NXDOMAIN is cheaper than spending
the CPU cycles and bandwidth to marshal and send the response.
> > A DNSSEC referral from the gTLD roots gives about amplification of
> > about 14X.
> What is a DNSSEC referral? I don't think such referrals are signed,
> are they?
I doubt DNSSEC would be secure if referrals could be forged undetectably.
Try `dig +trace crankycanuck.ca` or
`dig +dnssec crankycanuck.ca @a.root-servers.net` and notice the
RRSIG and NSEC RRs as well as the ~12X amplification.
http://stats.research.icann.org/dns/tld_report/ says that .ca is
not yet signed. I guess that's why I can't get signatures from the
authorities for .ca for their referrals.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits