[ratelimits] [dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

Tony Finch dot at dotat.at
Fri Sep 28 09:07:11 UTC 2012

Vernon Schryver <vjs at rhyolite.com> wrote:
> Should the DNS RRL patch stop "slipping" truncated (TC=1) responses
> if it seems that no TCP requests have been seen from the CIDR block
> within "window" seconds?

It seems to me that this would make the slip feature useless.

When an attack is in progress against a victim, and the vicim's name
server is not currently querying the server being used for reflection, the
reflecting server will treat the victim as if it has no name server and
therefore go silent. When the victim subsequently makes a legit query it
will not recieve a response despite retrying.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the ratelimits mailing list