[ratelimits] RRL vs other approaches

Roland Dobbins rdobbins at arbor.net
Sun Feb 24 08:25:23 UTC 2013

Paul Vixie <paul at redbarn.org> wrote:

>good enough to be generally deployable by end system operators: no.
>we're talking about different things.

Possibly. One point I forgot to mention is that I've yet to run into the fairly unlikely circumstance of having a legitimate resolver actually issuing legitimate queries and being's 'authenticated' against a given authoritative server, and then being promptly pummeled by a reflection/amplification attack leveraging that very same authoritative server to attack that very same resolver.  

And although I don't have stats on this, my subjective experience seems to  indicate that DNS resolvers are not generally the ultimate intended targets of DNS reflection/amplification attacks, anyways.  AFAICT, it's mainly Web servers

Roland Dobbins <rdobbins at arbor.net>

More information about the ratelimits mailing list