[ratelimits] Referrals incorrectly limited.
gilles.massen at restena.lu
Thu Jan 10 22:05:35 UTC 2013
On 10/1/13 16:29 , Vernon Schryver wrote:
>> From: Gilles Massen <gilles.massen at restena.lu>
> As the operator of the absolutely trivial authority servers for
> 61.188.192.in-addr.arpa, I see that position as similar to the
> position of some open SMTP relays about relaying spam. The as fast
> as possible, never ending, endlessly repeated "research" probing of
> my /24 doesn't do worse than endlessly trigger RRL on my DNS servers.
> I find that noise in my RRL logs irritating and inconvenient as I eat
> my own dog food and watch for RRL bugs. I assume that the bad guys
> do enough caching and retrying that rate limiting referrals by the
> *.arin.net servers for 192.in-addr.arpa would not help me, but wire
> speed referrals still smell like collaboration with abusers.
Any referral to a malware hosting site (even if it is a compromised
site) is a form of collaboration with abusers. It is only a different
shade of gray. We clearly disagree about how dark the gray should get
before action is taken. But then I'm strongly attached to 'innocent
until proven guilty', and I often feel uncomfortable about a lot of
security practices current on the Internet because they remind me more
about the Far West than about procedures worthy of a democracy (lacking
due process, separation of powers, the right to defend yourself, the
right to be heard before being virtually crucified). So my position
towards our operation is directly derived from that.
Now to be very clear: I find the general approach of RRL quite balanced
and not part of the vigilante culture I deeply mistrust. It is only some
roughness around the edges that bother me.
>>> Are your DNS servers open recursive servers?
>> No open recursive servers. Honoring RD=1 would be a different
>> service, clearly announced with RA=1. Our mission however is only
>> the TLD, and with RA=0 we don't raise any different expectations.
> Any service announcing must happen before the service is requested.
> RA=0 is not an announcement but an error code explaning a short or
> REFUSED response. RA=1 in your responses would be no more an
> announcement that you would honor RD=1 than the non-existent
> announcement that your DNS servers will honor requests at any
> particular rate.
I agree with the RA=1 but not with the similarity of not rate-limiting.
> That you don't give long responses for RD=1 because you respond with
> RA=0 doesn't answer the question given your previous statement about
> the good of the Internet and so forth. Why don't you set RA=1 and
> answer RD=1 with full answers instead of referrals? That would
> provide a more valuable service to more of the Internet than
> referrals. Instead of sending referrals, you could save your DNS
> clients (including those cursed "researchers") significant bandwidth
> and time by sending them final answers.
My mission is to operate a zone, as good and reliably as possible. Even
if RA=1 might provide a bonus to clients, it is out of scope. On the
other hand doing a good job includes not putting brakes on it, and if it
was unavoidable I'd have to announce that.
> Besides the undoubted answer that open recursives have long been
> seen as evil but unrate-limited DNSSEC aware referrers are not yet
> understood the same, there is another answer. If you honored the
> RD=1 that I suspect is in those "research" requests, your server
> would be rate limited by the authoritive servers. Depending on how
> openly evil those "researchers" are, that would either choke and kill
> your servers with recursive contexts or indirectly rate limit the
Quite right. But then I'd be in the realm of operational problems and
I'd feel entitled (and obliged) to react - and to try to chose the
lesser evil. So another reason for not doing RA=1 (besides that it is
out of scope) would be that it could threaten the main mission.
> (after turning on rate limit after a complaint about an attack)
>> Sincerely: I hope very much I would turn it off. Certainly yes if
>> the attacks ceased.
> At the referral server you cannot distinguish between a DNS
> reflection attack and "research" without talking to the
> researcher/victim. Turning on rate limiting after a complaint from a
> DoS victim and turning it off when that particular stream stops would
> inevitiably subject new victims to at least hours of DoS reflection
> attack from your servers.
Yes, and again it's a very gray area. As we don't exist in a vaccum, I
believe that I would become aware of referrals/nxdomains becoming the
new attack vector. Besides we are small and never the first in line for
'new events', nor having the necessary firepower for being the only
vector in an attack. So it is unlikely that we'd be swamped by the
events. On the other hand, if referral based attacks became too common,
referral limiting would be the lesser evil, so we might end there. But
until that is actually happening I consider referral limiting as the
bigger evil (simply because the current referrals are not evil on my
scale). Yes, I'm quite aware that I might expose some innocent parties
to risks (and there are some very rough safeguards in place ), but
that's a choice I cannot avoid and have to make over and over again.
More information about the ratelimits