[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Mar 5 08:51:53 UTC 2013

On 03/04/2013 05:45 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
>> For the record, I think adding a large-response classification, like
>> Knot did, can already have a positive effect in amplification mitigation
>> in case of those "varying query attacks".
> The goal is not to detect and block all attacks, but to detect and
> block all attacks while only blocking attacks.  The most effective way
> to detect and block all attacks by turning off your DNS servers, but
> you can't do that.  Mitigating attacks is not hard; the hard part is
> not mitigating non-attacks.

Sorry I do not parse that first sentence. I also argue that if you turn
off your DNS servers, you would have a hard time detecting attacks, but
blocking is going to happen, yes. And I don't think a large-response
classification is going to mitigate non-attacks, keep in mind that we
are still limit only similar responses.

> The paper says that RRL does well against "varying query attacks"
> for non-existent names or NXDOMAIN responses.  The problem with
> "varying query attacks" for valid names is that as far as the DNS
> server can determine, a "varying query attack" for valid names is
> the same as the request stream from a perfectly legitimate recursive
> resolver used by many stub resolvers.  Blocking or dampening
> legitimate responses to the recrusive resolvers of large ISPs would
> be unacceptable except for hobby DNS servers.

Yes, the attack looks like legitimate traffic, which is the reason why
it is hard to detect. You probably can only differentiate between legit
traffic and an attack because of the increased traffic load.

> I don't have words for the notion of blocking or dampening DNSSEC
> responses in the name of security.

Nobody is saying that.

> The serious problem for any reflection mitigation scheme is not "varying
> query attacks" but distributed attacks.  An attack that sends fewer
> than 0.2 requests/second/DNS server cannot be detected by any single
> DNS server acting alone without far too many false positives. 

I think both "varying query attacks" and distributed attacks are serious
problems. In both cases the goal of the attacker is to maintain
undetected by the name server.

Best regards,

> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130305/e217bb54/attachment.pgp>

More information about the ratelimits mailing list