[ratelimits] Fragments of ARM Chapter 6 clarification
Zane Thomas
zane.thomas at gmail.com
Mon Feb 11 22:47:47 UTC 2013
Knowing that there should only be one reply to a given ip for each query
coming from that ip requires at least some dns-awareness. :)
On Mon, Feb 11, 2013 at 2:43 PM, Paul Vixie <paul at redbarn.org> wrote:
>
>
> Zane Thomas wrote:
>
>
> Do you need the content of the out-going message or is it good enough to
> know that a given ip is being sent more replies than it sent questions?
>
>
> you absolutely have to know what the prospective response would be. that's
> the point of RRL. if we could solve this with front end load balancers
> which were not DNS-aware (and DNS content aware) we would do it.
>
> paul
>
> re:
>
>
>
>
> On Mon, Feb 11, 2013 at 12:59 PM, Paul Vixie <paul at redbarn.org> wrote:
>
>>
>>
>> nudge wrote:
>> > ...
>> > "Attacks that justify ignoring the contents of DNS responses are likely
>> > to be attacks on the DNS server itself. They usually should be discarded
>> > before the DNS server spends resources make TCP connections or parsing
>> > DNS requesets, but that rate limiting must be done before the DNS server
>> > sees the requests."
>> >
>> > What precisely does this mean in the context of response rate limiting ?
>>
>> if you have enough information at the firewall or gateway to be able to
>> stop an attack merely by counting packets per source address, then the
>> attacks you'll be stopping are against your name server, not the ones
>> that merely use your name server as a reflecting amplifier to attack
>> somebody else (whose IP source addresses are getting spoofed toward
>> you.) correspondingly, if you want to stop reflection attacks from using
>> you as an amplifier, you need information that a gateway or firewall
>> won't have, such as the content of the prospective DNS response.
>>
>> _______________________________________________
>> ratelimits mailing list
>> ratelimits at lists.redbarn.org
>> http://lists.redbarn.org/mailman/listinfo/ratelimits
>>
>
>
>
> --
> Nullius addictus jurare in verba magistri.
>
>
--
Nullius addictus jurare in verba magistri.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130211/cc0e68e2/attachment.htm>
More information about the ratelimits
mailing list