[ratelimits] Fragments of ARM Chapter 6 clarification
Zane Thomas
zane.thomas at gmail.com
Mon Feb 11 22:48:24 UTC 2013
but now i see my mistake, nevermind
On Mon, Feb 11, 2013 at 2:47 PM, Zane Thomas <zane.thomas at gmail.com> wrote:
>
> Knowing that there should only be one reply to a given ip for each query
> coming from that ip requires at least some dns-awareness. :)
>
>
> On Mon, Feb 11, 2013 at 2:43 PM, Paul Vixie <paul at redbarn.org> wrote:
>
>>
>>
>> Zane Thomas wrote:
>>
>>
>> Do you need the content of the out-going message or is it good enough to
>> know that a given ip is being sent more replies than it sent questions?
>>
>>
>> you absolutely have to know what the prospective response would be.
>> that's the point of RRL. if we could solve this with front end load
>> balancers which were not DNS-aware (and DNS content aware) we would do it.
>>
>> paul
>>
>> re:
>>
>>
>>
>>
>> On Mon, Feb 11, 2013 at 12:59 PM, Paul Vixie <paul at redbarn.org> wrote:
>>
>>>
>>>
>>> nudge wrote:
>>> > ...
>>> > "Attacks that justify ignoring the contents of DNS responses are likely
>>> > to be attacks on the DNS server itself. They usually should be
>>> discarded
>>> > before the DNS server spends resources make TCP connections or parsing
>>> > DNS requesets, but that rate limiting must be done before the DNS
>>> server
>>> > sees the requests."
>>> >
>>> > What precisely does this mean in the context of response rate limiting
>>> ?
>>>
>>> if you have enough information at the firewall or gateway to be able to
>>> stop an attack merely by counting packets per source address, then the
>>> attacks you'll be stopping are against your name server, not the ones
>>> that merely use your name server as a reflecting amplifier to attack
>>> somebody else (whose IP source addresses are getting spoofed toward
>>> you.) correspondingly, if you want to stop reflection attacks from using
>>> you as an amplifier, you need information that a gateway or firewall
>>> won't have, such as the content of the prospective DNS response.
>>>
>>> _______________________________________________
>>> ratelimits mailing list
>>> ratelimits at lists.redbarn.org
>>> http://lists.redbarn.org/mailman/listinfo/ratelimits
>>>
>>
>>
>>
>> --
>> Nullius addictus jurare in verba magistri.
>>
>>
>
>
> --
> Nullius addictus jurare in verba magistri.
>
--
Nullius addictus jurare in verba magistri.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130211/204794b0/attachment.htm>
More information about the ratelimits
mailing list