[ratelimits] An abstract on another approach

Dobbins, Roland rdobbins at arbor.net
Sat Mar 2 07:27:38 UTC 2013

On Mar 2, 2013, at 10:29 AM, Edward Lewis wrote:

> We elected to employ the "REFUSED" return code in response to any query coming over UDP for type=ANY.

Why REFUSED?  Why not simply tell the querying resolver to switch to truncate mode, and then answer that way if it responds?

I'm on record as saying that it may make sense to filter out ANY queries against a given domain/server during a specific attack in which they're being abused for reflection/amplification, if that's the best way to achieve partial service recovery whilst casting about for more granular mitigation tactics.  

But outright refusing ANYs all the time is adding to brokenness of the same class as blocking all ICMP or filtering out TCP/53 or dropping UDP DNS responses larger than 512 bytes, - essentially, it's a form of Internet vandalism, IMHO.

Attackers can abuse any type of record for reflection/amplification - large TXT records, any DNSSEC response is guaranteed to provide a 1300-byte minimum answer.  So, electing to simply permanently filter out a give query type on a permanent basis isn't going to provide a permanent solution, and will cause breakage beyond your direct span of administrative control.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the ratelimits mailing list