[ratelimits] Referrals incorrectly limited.

Vernon Schryver vjs at rhyolite.com
Thu Jan 10 22:59:17 UTC 2013

> From: Gilles Massen <gilles.massen at restena.lu>

> > At the referral server you cannot distinguish between a DNS
> > reflection attack and "research" without talking to the
> > researcher/victim. Turning on rate limiting after a complaint from a
> > DoS victim and turning it off when that particular stream stops would
> > inevitiably subject new victims to at least hours of DoS reflection
> > attack from your servers.
> Yes, and again it's a very gray area. As we don't exist in a vaccum, I
> believe that I would become aware of referrals/nxdomains becoming the
> new attack vector. Besides we are small and never the first in line for
> 'new events', nor having the necessary firepower for being the only
> vector in an attack. So it is unlikely that we'd be swamped by the
> events. 

I see nothing grey here after the bad guys start using referrals
and nxdomains because other reflections are mitigated by the several
schemes including RRL.

It is impossible to distinguish a single "research" flood from a
reflection attack until you talk to the target of your flood of
referrals.  Being small suggests you might not have 24x7 monitoring
of your packet counts by destination AS, but I'll assume you do.  How
would you contact the victim of your referral reflection attack without
subjecting the victim to at least hours of DoS attack while waiting
for the victim to respond?

I assume that that answer is that the victim must contact you.
If your victim is a big U.S. or European outfit with 24x7 coverage,
more monitoring than you have, plenty of out of main band bandwidth
for email, and no language problem on phone calls, that answer might
be tolerable.  I bet that even the big outfits would not think well
of you for waiting for them ask you stop DoS'ing them.

But what if the victim is smaller than you, about as distant as possible
from Europe, without Internet access because of your flood of referrals,
and speaks none of the languages that you do very well?

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list