[ratelimits] Fragments of ARM Chapter 6 clarification
paul at redbarn.org
Mon Feb 11 22:43:41 UTC 2013
Zane Thomas wrote:
> Do you need the content of the out-going message or is it good enough
> to know that a given ip is being sent more replies than it sent questions?
you absolutely have to know what the prospective response would be.
that's the point of RRL. if we could solve this with front end load
balancers which were not DNS-aware (and DNS content aware) we would do it.
> On Mon, Feb 11, 2013 at 12:59 PM, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
> nudge wrote:
> > ...
> > "Attacks that justify ignoring the contents of DNS responses are
> > to be attacks on the DNS server itself. They usually should be
> > before the DNS server spends resources make TCP connections or
> > DNS requesets, but that rate limiting must be done before the
> DNS server
> > sees the requests."
> > What precisely does this mean in the context of response rate
> limiting ?
> if you have enough information at the firewall or gateway to be
> able to
> stop an attack merely by counting packets per source address, then the
> attacks you'll be stopping are against your name server, not the ones
> that merely use your name server as a reflecting amplifier to attack
> somebody else (whose IP source addresses are getting spoofed toward
> you.) correspondingly, if you want to stop reflection attacks from
> you as an amplifier, you need information that a gateway or firewall
> won't have, such as the content of the prospective DNS response.
> ratelimits mailing list
> ratelimits at lists.redbarn.org <mailto:ratelimits at lists.redbarn.org>
> Nullius addictus jurare in verba magistri.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ratelimits