[ratelimits] RRL vs other approaches
Roland Dobbins
rdobbins at arbor.net
Sun Feb 24 08:25:23 UTC 2013
Paul Vixie <paul at redbarn.org> wrote:
>good enough to be generally deployable by end system operators: no.
>
>we're talking about different things.
Possibly. One point I forgot to mention is that I've yet to run into the fairly unlikely circumstance of having a legitimate resolver actually issuing legitimate queries and being's 'authenticated' against a given authoritative server, and then being promptly pummeled by a reflection/amplification attack leveraging that very same authoritative server to attack that very same resolver.
And although I don't have stats on this, my subjective experience seems to indicate that DNS resolvers are not generally the ultimate intended targets of DNS reflection/amplification attacks, anyways. AFAICT, it's mainly Web servers
--------------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the ratelimits
mailing list