[ratelimits] Fragments of ARM Chapter 6 clarification
zane.thomas at gmail.com
Mon Feb 11 22:38:09 UTC 2013
Do you need the content of the out-going message or is it good enough to
know that a given ip is being sent more replies than it sent questions?
On Mon, Feb 11, 2013 at 12:59 PM, Paul Vixie <paul at redbarn.org> wrote:
> nudge wrote:
> > ...
> > "Attacks that justify ignoring the contents of DNS responses are likely
> > to be attacks on the DNS server itself. They usually should be discarded
> > before the DNS server spends resources make TCP connections or parsing
> > DNS requesets, but that rate limiting must be done before the DNS server
> > sees the requests."
> > What precisely does this mean in the context of response rate limiting ?
> if you have enough information at the firewall or gateway to be able to
> stop an attack merely by counting packets per source address, then the
> attacks you'll be stopping are against your name server, not the ones
> that merely use your name server as a reflecting amplifier to attack
> somebody else (whose IP source addresses are getting spoofed toward
> you.) correspondingly, if you want to stop reflection attacks from using
> you as an amplifier, you need information that a gateway or firewall
> won't have, such as the content of the prospective DNS response.
> ratelimits mailing list
> ratelimits at lists.redbarn.org
Nullius addictus jurare in verba magistri.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ratelimits