[ratelimits] RRL vs other approaches

Paul Vixie paul at redbarn.org
Sun Feb 24 06:00:41 UTC 2013


...

Roland Dobbins wrote:
> Vernon Schryver <vjs at rhyolite.com> wrote:
>
>
>
>> That you manage to "authenticate" some DNS requests from 10.2.3.4
>> using TCP, TSIG, or any other scheme IMPLIES NOTHING about other
>> UDP requests that claim to be from 10.2.3.4.
>
> That's true -  but, you know, I've been using this mechanism to defeat some pretty serious spoofed DDoS attacks for the last 11 years or so, and it works pretty well, in practice.   More granularity is welcome, but in a majority of cases, it's been Good Enough.  ...

good enough for point solutions such as ddos-resistance as a service: yes.

good enough to be generally deployable by end system operators: no.

we're talking about different things.

paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130223/4d06386d/attachment.htm>


More information about the ratelimits mailing list