[ratelimits] Referrals incorrectly limited.

Gilles Massen gilles.massen at restena.lu
Fri Jan 11 09:55:17 UTC 2013

On 01/10/2013 11:59 PM, Vernon Schryver wrote:
>> From: Gilles Massen <gilles.massen at restena.lu>
>> Yes, and again it's a very gray area. As we don't exist in a vaccum, I
>> believe that I would become aware of referrals/nxdomains becoming the
>> new attack vector. Besides we are small and never the first in line for
>> 'new events', nor having the necessary firepower for being the only
>> vector in an attack. So it is unlikely that we'd be swamped by the
>> events. 
> I see nothing grey here after the bad guys start using referrals
> and nxdomains because other reflections are mitigated by the several
> schemes including RRL.

Yes, after. My point is that the referral limiting is not necessary
before. Or at least at a significantly different level than normal
response limiting which is currently being abused.

> It is impossible to distinguish a single "research" flood from a
> reflection attack until you talk to the target of your flood of
> referrals.  Being small suggests you might not have 24x7 monitoring
> of your packet counts by destination AS, but I'll assume you do.  How
> would you contact the victim of your referral reflection attack without
> subjecting the victim to at least hours of DoS attack while waiting
> for the victim to respond?
> I assume that that answer is that the victim must contact you.
> If your victim is a big U.S. or European outfit with 24x7 coverage,
> more monitoring than you have, plenty of out of main band bandwidth
> for email, and no language problem on phone calls, that answer might
> be tolerable.  I bet that even the big outfits would not think well
> of you for waiting for them ask you stop DoS'ing them.
> But what if the victim is smaller than you, about as distant as possible
> from Europe, without Internet access because of your flood of referrals,
> and speaks none of the languages that you do very well?

You are assuming that I would keep that approach forever, but that is
not true. All this is not supposed to be hammered in stone, but to
evolve along with actual facts. When (if) a shift to referral attacks
happens, there could be a few victims, for a few hours. I'm not happy
about it but in the overall picture I'm accepting that risk. And no, the
potential victim would probably not agree. Then again, it is likely that
for first attacks we would only be a vector among many (again, unless
the overall install base of RRL changes), which again I find acceptable
for a few events and a limited duration. If the attacks would become
commonplace referral limiting would have to stay on, but I don't want to
install limitations with known side effects (good or bad, depends on the
definition) before they are needed.


More information about the ratelimits mailing list