[ratelimits] Referrals incorrectly limited.

[Michael Sinatra]

On 1/10/13 7:29 AM, Vernon Schryver wrote:

> (after turning on rate limit after a complaint about an attack)
> 
>> Sincerely: I hope very much I would turn it off. Certainly yes if the
>> attacks ceased.
> 
> At the referral server you cannot distinguish between a DNS reflection
> attack and "research" without talking to the researcher/victim.
> Turning on rate limiting after a complaint from a DoS victim and
> turning it off when that particular stream stops would inevitiably
> subject new victims to at least hours of DoS reflection attack
> from your servers.

Yes, and...

It's even worse than that.  We know that the bad guys now understand the
richness of the ways in which they can exploit authoritative DNS servers
for reflection-amplification attacks.  They have already changed their
tactics mid-attack in response to firewalls/IDSes that look for certain
fixed signatures in the query traffic.  It's only a matter of time
before they "discover" referrals as an amplification vector, and that
may have already discovered it and are keeping it in their back pockets.

At some point we will be forced to rate-limit referral responses.  Do we
want to do it now, when things may be a bit calmer and we can deal with
the breakage of "research" probes in a relatively calm way, with time to
explain how these probes might be done in a non impacting way?  Or do we
want to wait until things are melting down with attack traffic, and our
NOCs are getting hounded by people who are being "attacked" by us
(really by our reflection of referral queries)?

It strikes me that, although there are trade-offs, the former is better.
 If we know that we're going to break something for benefit of the
greater good, it's probably better to do it when there's not a major
attack underway.  But that's just my philosophy.

Note also that I have seen the the same sort of in-addr.arpa traffic,
and I am actually rate-limiting some of it...

michael