[ratelimits] [dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?
jared at puck.nether.net
Fri Sep 28 17:30:30 UTC 2012
On Sep 28, 2012, at 5:07 AM, Tony Finch <dot at dotat.at> wrote:
> Vernon Schryver <vjs at rhyolite.com> wrote:
>> Should the DNS RRL patch stop "slipping" truncated (TC=1) responses
>> if it seems that no TCP requests have been seen from the CIDR block
>> within "window" seconds?
> It seems to me that this would make the slip feature useless.
> When an attack is in progress against a victim, and the vicim's name
> server is not currently querying the server being used for reflection, the
> reflecting server will treat the victim as if it has no name server and
> therefore go silent. When the victim subsequently makes a legit query it
> will not recieve a response despite retrying.
A number of mitigation platforms utilize the TC=1 to force clients to 'authenticate' for a period of time. Integrating this capability into the resolver could serve numerous purposes and be valuable. This hasn't resulted in anyone missing a response unless they are broken themselves (e.g.: tcp/53 blocked). Once they have performed a TCP transaction with success they can then have UDP without TC=1 (for a period of time).
This results in extra state being kept as you can't just fire back a response, you need to do something far more complex of a lookup first. I'm not sure what the impact would be in the implementation, but i'd expect something.
More information about the ratelimits