[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Mon Mar 4 16:45:26 UTC 2013

> From: Matthijs Mekking <matthijs at nlnetlabs.nl>

> For the record, I think adding a large-response classification, like
> Knot did, can already have a positive effect in amplification mitigation
> in case of those "varying query attacks".

The goal is not to detect and block all attacks, but to detect and
block all attacks while only blocking attacks.  The most effective way
to detect and block all attacks by turning off your DNS servers, but
you can't do that.  Mitigating attacks is not hard; the hard part is
not mitigating non-attacks.

The paper says that RRL does well against "varying query attacks"
for non-existent names or NXDOMAIN responses.  The problem with
"varying query attacks" for valid names is that as far as the DNS
server can determine, a "varying query attack" for valid names is
the same as the request stream from a perfectly legitimate recursive
resolver used by many stub resolvers.  Blocking or dampening
legitimate responses to the recrusive resolvers of large ISPs would
be unacceptable except for hobby DNS servers.

I don't have words for the notion of blocking or dampening DNSSEC
responses in the name of security.

The serious problem for any reflection mitigation scheme is not "varying
query attacks" but distributed attacks.  An attack that sends fewer
than 0.2 requests/second/DNS server cannot be detected by any single
DNS server acting alone without far too many false positives. 

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list