[ratelimits] Fragments of ARM Chapter 6 clarification

Vernon Schryver vjs at rhyolite.com
Mon Feb 11 20:30:52 UTC 2013

> From: nudge <nudgemac at fastmail.fm>

> ...
> However, there's just a couple of sentences in the docs that I need to
> clarification on, if you'd be so obliging:
> "Attacks that justify ignoring the contents of DNS responses are likely
> to be attacks on the DNS server itself. They usually should be discarded
> before the DNS server spends resources make TCP connections or parsing
> DNS requesets, but that rate limiting must be done before the DNS server
> sees the requests."
> What precisely does this mean in the context of response rate limiting ?

It is trying to say that firewall rules that keep minimal state to
rate limit all requests or all requests from an IP address block are
better protection for the DNS server itself than RRL.

The goal of RRL is to make DNS reflection DoS attacks more expensive
in bandwidth and less effective than sending directly toward the
intended victim, while at the same time continuing to give the
victim DNS service.

Brute force rate limiting in a firewall (or equivalent limits in
the DNS server) will deny DNS service to legitimate clients.  However,
when a DNS server itself is under successful attack, it is by
defintion unable to provide DNS service to legitimate clients.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list