[ratelimits] Fragments of ARM Chapter 6 clarification

nudge nudgemac at fastmail.fm
Tue Feb 12 17:15:26 UTC 2013

> > nudge asked:
> >
> > "Attacks that justify ignoring the contents of DNS responses are likely
> > to be attacks on the DNS server itself. They usually should be discarded
> > before the DNS server spends resources make TCP connections or parsing
> > DNS requests, but that rate limiting must be done before the DNS server
> > sees the requests."
> >
> > What precisely does this mean in the context of response rate limiting ?

Vernon Schryver replied:
> It is trying to say that firewall rules that keep minimal state to
> rate limit all requests or all requests from an IP address block are
> better protection for the DNS server itself than RRL.
> The goal of RRL is to make DNS reflection DoS attacks more expensive
> in bandwidth and less effective than sending directly toward the
> intended victim, while at the same time continuing to give the
> victim DNS service.
> Brute force rate limiting in a firewall (or equivalent limits in
> the DNS server) will deny DNS service to legitimate clients.  However,
> when a DNS server itself is under successful attack, it is by
> defintion unable to provide DNS service to legitimate clients.

Paul Vixie replied:
> if you have enough information at the firewall or gateway to be able to
> stop an attack merely by counting packets per source address, then the
> attacks you'll be stopping are against your name server, not the ones
> that merely use your name server as a reflecting amplifier to attack
> somebody else (whose IP source addresses are getting spoofed toward
> you.) correspondingly, if you want to stop reflection attacks from using
> you as an amplifier, you need information that a gateway or firewall
> won't have, such as the content of the prospective DNS response.

I'd gotten the impression that you were against basic firewall
rate-limiting in front of DNS servers for some reason.

So if a DNS server is considered capable of handling X qps it's useful
to firewall rate limit qps to X as protection from overload when it's
directly attacked. This higher limit doesn't affect RRL during
reflection or amplification attacks on others, the two being completely
different issues and rates. In some cases basic firewall rate limiting
may also be usefully applied to limit qps from an IP address block
without DNS response awareness and without affecting RRL functionality.
How am I doing ?

More information about the ratelimits mailing list