[ratelimits] rate limiting recursive server

Vernon Schryver vjs at rhyolite.com
Wed Apr 17 12:34:08 UTC 2013

> From: "Patrick W. Gilmore" <patrick at ianai.net>

> > Or even use network infrastructure QoS to rate-limit traffic to it, =
> since it isn't a production device and therefore there're no worries =
> about programmatically-generated attack traffic 'squeezing out' =
> legitimate traffic.
> Ooh, I think we have a winner!

How does that work, when the traffic squeezing intended by the bad
guys is not in your network infrastructure?  How does using QoS to
ensure that none of the legitimate traffic in your networks are squeezed
by requests to or responses from a test open recursive server mitigate
a DNS reflection attack in the intended victim's network?
Is the idea to impose a tiny packet or bit/sec limit on all requests
and/or responses for the test DNS?  If so, why doesn't that have
the same problems but more so as the numerically same RRL limit?

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list