[ratelimits] adding "all-responses-per-second X"
Tony Finch
dot at dotat.at
Mon Sep 17 08:37:10 UTC 2012
Paul Vixie <paul at redbarn.org> wrote:
>
> ...i now wonder if this section should be expanded to talk about
> dictionary attack against diverse existing names within a single zone.
> an NSEC walk would be a perfect example of this. i want to make sure
> we've documented everything we think attackers could do to get around
> rate limiting, to avoid any false feeling of safety.
Yes. There is at least one other way to defeat RRL - see:
https://lists.dns-oarc.net/pipermail/dns-operations/2012-September/008866.html
NSEC walking is "interesting" since it is usually considered abusive
behaviour so it would be OK for it to be throttled by a total-volume
ratelimit.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the ratelimits
mailing list