[ratelimits] rrl mention in an nlnetlabs tech report

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Aug 26 09:06:48 UTC 2013 

Hi Marek,

On 08/26/2013 10:50 AM, Marek Vavruša wrote:
> On 26 August 2013 09:52, Matthijs Mekking <matthijs at nlnetlabs.nl
> <mailto:matthijs at nlnetlabs.nl>> wrote:
> 
>     Hi,
> 
>     On 08/23/2013 10:13 AM, Yasuhiro Orange Morishita wrote:
>     > Hello,
>     >
>     > I've found a presentation slides made by the author.  Thanks for
>     google.
>     > <http://rp.delaat.net/2012-2013/p92/presentation.pdf>
> 
>     This presentation is not about the RRL measurements. This is a small
>     research done by on of our other interns, and is about using Visual
>     Analytics to discover DNS abuse.
> 
> 
> This piqued my interest, is there any research in progress about flow
> identification in real time?

I do not know of any such research.

As I have understood, it is quite hard to do Visual Analytics real time.
That is because you need to convert a bunch of data and that takes some
processing. But near real time could be achieved.

Also, the interactive search tools and machines don't scale well with
respect to the size of the data set, at least the ones used in this
research.

Best regards,
  Matthijs

> I wonder if we could (with some accepted error) differentiate an attack
> flow from legitimate queries.
> I mean, assuming that the spoofed packets flow through the same path,
> the frequency of the the incoming packets should be quite regular +
> there could be other markers in the IP header.
> All this could be used to calculate the probability of the "slip" (i.e.
> query that is likely to be a part of the attack would be more likely to
> be discarded without slipping an answer).
>  
> 
> 
>     The presentation on the RRL report is here:
> 
>         http://rp.delaat.net/2012-2013/p29/presentation.pdf
> 
>     >
>     >> Made by one of our interns.
>     >
>     > Your intern is great.
> 
>     To be precise, the research was done by two interns.
> 
>     Best regards,
>       Matthijs
> 
> 
> Best,
> Marek
>  
> 
> 
>     >
>     > -- Orange
>     >
>     >> --Olaf
>     >>
>     >> PS. other related intern work:
>     http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
>     >>
>     >
>     > From: Olaf Kolkman <olaf at NLnetLabs.nl>
>     > Date: Fri, 23 Aug 2013 10:01:24 +0200
>     >>
>     >>
>     >>
>     >>
>     >> On 22 aug. 2013, at 20:02, Paul Vixie <paul at redbarn.org
>     <mailto:paul at redbarn.org>> wrote:
>     >>
>     >>> saw this:
>     >>>
>     >>>> Another pro-active technique is Response Rate
>     >>>> Limiting (RRL) [29]. It limits the number of unique
>     >>>> responses sent by the authoritative server. Roughly,
>     >>>> it works by keeping track of of several pieces of
>     >>>> information of the responses. With every subsequent
>     >>>> request, the name server checks whether the
>     >>>> response that would be sent exceeds the set limit
>     >>>> of responses per second per set of information. If
>     >>>> this is the case, it either responds only once in a
>     >>>> number of queries (configurable) or it sends a
>     >>>> truncated (TC-flag set) answer, forcing a legitimate
>     >>>> resolver to retry the query over TCP. RRL is currently
>     >>>> the most promising technique and is implemented
>     >>>> in the most popular name server software like
>     >>>> BIND [14], NSD [20] and Knot [17]. The effectiveness
>     >>>> of RRL is debated, it stops unsophisticated
>     >>>> attacks using reflection.
>     >>>
>     >>> here:
>     >>>
>     >>> http://www.nlnetlabs.nl/downloads/publications/report-rp2-lexis.pdf
>     >>
>     >>
>     >> Made by one of our interns.
>     >>
>     >> I wonder if you wanted to express something more than "look at
>     this" with the specific quote?
>     >>
>     >> --Olaf
>     >>
>     >> PS. other related intern work:
>     http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
>     >>
>     >>
>     > _______________________________________________
>     > ratelimits mailing list
>     > ratelimits at lists.redbarn.org <mailto:ratelimits at lists.redbarn.org>
>     > http://lists.redbarn.org/mailman/listinfo/ratelimits
>     >
> 
>     _______________________________________________
>     ratelimits mailing list
>     ratelimits at lists.redbarn.org <mailto:ratelimits at lists.redbarn.org>
>     http://lists.redbarn.org/mailman/listinfo/ratelimits
> 
>

More information about the ratelimits mailing list