[ratelimits] RRL vs other approaches

Paul Vixie paul at redbarn.org
Sun Feb 24 16:24:30 UTC 2013 

...

Roland Dobbins wrote:
> Paul Vixie <paul at redbarn.org> wrote:
>
>> good enough to be generally deployable by end system operators: no.
>>
>> we're talking about different things.
>
> Possibly. One point I forgot to mention is that I've yet to run into the fairly unlikely circumstance of having a legitimate resolver actually issuing legitimate queries and being's 'authenticated' against a given [recursive or] authoritative server, and then being promptly pummeled by a reflection/amplification attack leveraging that very same authoritative server to attack that very same resolver.  

your experiences as a remediator are not predictive of what a global
system that behaved this way would experience.

> And although I don't have stats on this, my subjective experience seems to  indicate that DNS resolvers are not generally the ultimate intended targets of DNS reflection / amplification attacks, anyways.  AFAICT, it's mainly Web servers

we must not attempt reason from the specific to the general in the way
you're implying here, if the details aren't endemic. that is, since the
bad guys can easily change from ANY to some other qtype, we won't widely
deploy a defense against ANY; similarly, since the bad guys can easily
choose a recursive dns server which shares upstream capacity with their
real target, we won't widely deploy a solution that only works if their
proximate and direct target is not a recursive dns server.

i'm not saying your experiences didn't happen or that your product
doesn't work. i'm saying that your experiences are not indicative of how
a global system that behaved this way would behave. the topic under
discussion is not what will work on a case by case basis, but rather
what can we globally deploy that will make the whole system harder to
successfully attack. thus RRL deals differently with attack flows than
opendns or googledns does -- those are already hard targets but like the
arbor service you've been describing the hardness of those targets
relies on methods that would not scale to large numbers of
less-well-funded name service plants, and which would not work if the
bad guys had no lower-hanging fruit and instead had to focus their
bypass efforts on your specific methods.

paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130224/5d7672c0/attachment.htm>

More information about the ratelimits mailing list