[ratelimits] [dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?
vjs at rhyolite.com
Thu Sep 27 20:04:24 UTC 2012
> From: Olafur Gudmundsson <ogud at ogud.com>
> If a traffic reducer turns on TC bit in its responses, then if no
> TCP connection is completed during the next N seconds,
> the reducer can go to full drop mode.
Should the DNS RRL patch stop "slipping" truncated (TC=1) responses
if it seems that no TCP requests have been seen from the CIDR block
within "window" seconds?
- it would help answer concerns about contributing to the DoS attack,
because some of the "slipped" responses are to forged requests.
- surely some DNS reflection DoS CIDR block targets lack DNS
servers and the truncated responses only harm them.
- it's not strictly necessary and might not be justified by its
code and potentical bugs.
- the truncated responses are infrequent and small enough that
they might not matter.
- small reflection DoS targets might be sending fewer than 1 request
per window seconds, and so would miss the false positive mitigation
effects of the truncated responses.
- even large reflection DoS targets might be sending fewer than 1 request
per window seconds to most DoS reflectors and so would miss the
false positive mitigation effects of the truncated responses.
- for obvious as well as obscure implementation reasons, the "TCP seen"
indicator would have a few errors in the "none seen" direction.
I've a detailed sketch of the necessary changes to the code, but
I'm inclined to forget them.
Opinions should probably be expressed in the RRL mailing list at
ratelimits at lists.redbarn.org or
instead of the dns-operations mailing list.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits