[ratelimits] Fragments of ARM Chapter 6 clarification

Zane Thomas zane.thomas at gmail.com
Mon Feb 11 22:38:09 UTC 2013

Do you need the content of the out-going message or is it good enough to
know that a given ip is being sent more replies than it sent questions?

On Mon, Feb 11, 2013 at 12:59 PM, Paul Vixie <paul at redbarn.org> wrote:

> nudge wrote:
> > ...
> > "Attacks that justify ignoring the contents of DNS responses are likely
> > to be attacks on the DNS server itself. They usually should be discarded
> > before the DNS server spends resources make TCP connections or parsing
> > DNS requesets, but that rate limiting must be done before the DNS server
> > sees the requests."
> >
> > What precisely does this mean in the context of response rate limiting ?
> if you have enough information at the firewall or gateway to be able to
> stop an attack merely by counting packets per source address, then the
> attacks you'll be stopping are against your name server, not the ones
> that merely use your name server as a reflecting amplifier to attack
> somebody else (whose IP source addresses are getting spoofed toward
> you.) correspondingly, if you want to stop reflection attacks from using
> you as an amplifier, you need information that a gateway or firewall
> won't have, such as the content of the prospective DNS response.
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits

Nullius addictus jurare in verba magistri.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130211/dfb92f82/attachment.htm>

More information about the ratelimits mailing list