[ratelimits] RRL vs other approaches
Dobbins, Roland
rdobbins at arbor.net
Sat Feb 23 11:35:24 UTC 2013
On Feb 19, 2013, at 10:02 PM, Paul Vixie wrote:
> the subsequent udp queries you would prospectively receive following a successful tcp session in the above scenario need not be truly sourced.
This is true, but we shouldn't make the perfect the enemy of the merely good, nor look for a 'silver bullet'. FYI, I haven't yet seen an attacker a) authenticate via TCP and then b) zorch the servers in question by spoofing the authenticated source IP; and even if an attacker chose to do so, other means of classifying and mitigating the attack traffic (such as RRL and other tools/techniques) should be utilized.
Disallowing ANY queries during an attack as a means of partial service recovery is also a legitimate reaction, if other methods fail to mitigate the attack or are not available. One must understand the consequence of doing so, of course; but it shouldn't be ruled out entirely, it just shouldn't be a default stance.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the ratelimits
mailing list