[ratelimits] Fragments of ARM Chapter 6 clarification

Paul Vixie paul at redbarn.org
Mon Feb 11 20:59:18 UTC 2013

nudge wrote:
> ...
> "Attacks that justify ignoring the contents of DNS responses are likely
> to be attacks on the DNS server itself. They usually should be discarded
> before the DNS server spends resources make TCP connections or parsing
> DNS requesets, but that rate limiting must be done before the DNS server
> sees the requests."
> What precisely does this mean in the context of response rate limiting ?

if you have enough information at the firewall or gateway to be able to
stop an attack merely by counting packets per source address, then the
attacks you'll be stopping are against your name server, not the ones
that merely use your name server as a reflecting amplifier to attack
somebody else (whose IP source addresses are getting spoofed toward
you.) correspondingly, if you want to stop reflection attacks from using
you as an amplifier, you need information that a gateway or firewall
won't have, such as the content of the prospective DNS response.

More information about the ratelimits mailing list