[ratelimits] RRL vs other approaches

Dobbins, Roland rdobbins at arbor.net
Sat Feb 23 11:35:24 UTC 2013

On Feb 19, 2013, at 10:02 PM, Paul Vixie wrote:

> the subsequent udp queries you would prospectively receive following a successful tcp session in the above scenario need not be truly sourced. 

This is true, but we shouldn't make the perfect the enemy of the merely good, nor look for a 'silver bullet'.  FYI, I haven't yet seen an attacker a) authenticate via TCP and then b) zorch the servers in question by spoofing the authenticated source IP; and even if an attacker chose to do so, other means of classifying and mitigating the attack traffic (such as RRL and other tools/techniques) should be utilized.

Disallowing ANY queries during an attack as a means of partial service recovery is also a legitimate reaction, if other methods fail to mitigate the attack or are not available.  One must understand the consequence of doing so, of course; but it shouldn't be ruled out entirely, it just shouldn't be a default stance.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the ratelimits mailing list