[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Mar 4 15:34:37 UTC 2013 

On 03/04/2013 03:59 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
> 
>> I like the idea of having a classification of large responses. It seems
>> that the current RRL algorithm does not perform well if an attack is
>> able to trigger various positive responses[1]. 
> 
> I think that is a misleading charactacterization of 
> http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
> Instead, I read that paper as saying that RRL does not detect all
> attacks.  That characterization also fails by omitting the quantitative
> aspects of the study's conclusions.

My apologies, I had no intention to mislead or omit anything on purpose.
Indeed, the paper mentions that RRL is not able to detect an attack that
cycles a large zone, triggering 100% positive responses with names
evenly distributed. It does detect attacks that triggers partially
positive responses, but is less able to mitigate the amplification. For
the quantitative aspects of 'less' and 'partially', I refer to the paper.

For the record, I think adding a large-response classification, like
Knot did, can already have a positive effect in amplification mitigation
in case of those "varying query attacks".


> 
>>                                                I agree that such
>> performing such an attack is more complex than an ANY or NXDOMAIN
>> attack, but it is certainly feasible (especially with NSEC).
>>
>> What do you consider large?
>>
>> Adding weight to the classes is a direction that we should definitely
>> can look into. I guess the "penalty points" used in the Dampening
>> proposal can form a good base for that.
> 
> That reasoning is based on the assumption that some DNS responses are
> of little value and that the bad guys must use those less valuable
> response.  It is a version of the idea that reflection attacks can be
> mitigated by blocking ANY requests.  That reasoning will have you
> Dampening DNSSEC signed NS, SOA, A, and AAAA responses.

The reasoning will still have you limit similar responses, only the one
more aggressive than the other. We already added whitelists for certain
legit traffic that looks awfully similar to an attack. Thus, having
weights for different scenarios does not sound that bad to me.

But I also agree with Marek that it might not be worth the effort to
implement right now. I think adding classifications is more effective to
mitigate against different attacks.

Best regards,
  Matthijs




> 
> 
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130304/92eee72f/attachment.pgp>

More information about the ratelimits mailing list