[ratelimits] adding "all-responses-per-second X"

[Tony Finch]

Vernon Schryver <vjs at rhyolite.com> wrote:

> Tony Finch recently mentioned DNS reflection amplification attacks
> spread among many valid domains at an authority server to evade rate
> limits on individual domains.

It was Klaus Darilion who said he had observed this kind of attack on his
servers. I was just speculating about how this kind of attack could be
mounted. Note that the attack can use many names within a zone as well as
many zones.

https://lists.dns-oarc.net/pipermail/dns-operations/2012-September/008820.html

Including this feature in the RRL patch would be convenient but it
wouldn't add a lot more than a decent OS firewall. But the design you
sketched sounds OK.

But I fear (based on experience with rate limiting outgoing mail) that
other factors will be way more important than where you implement
system-wide rate limiting. Specifically, the gap between legitimate and
spammy queries spread over lots of names is much smaller than the gap for
a single name.

For instance, if you restart a university or enterprise campus recursive
server it will hammer the authority for all the local names until its
cache is populated (assuming it doesn't slave the organization's zones).
So if you have this kind of setup you will probably want to whitelist your
local networks.

Another likely problem case might be a mail + dns hosting provider, whose
authoritative name servers are likely to be hammered for lots of names
when connectivity returns after an outage (at the provider itself or at
another large mail service provider) as senders' queues drain.

So I fear that setting the threshold for this kind of limit will be really
difficult :-(

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.