[ratelimits] Poor CERT warning message

Geert Jan de Groot GeertJan.deGroot at xs4all.nl
Tue Sep 10 21:10:34 UTC 2013


Please have a look at:
https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/beveiligingsadviezen/NCSC-2013-0597+1.00+Rate+limiting+van+DNS+responses+veroorzaakt+kwetsbaarheid.htm

(which is in Dutch and which breaks google translate; cut/paste 
the text itself does work however).

Note that this refers to a CERT message from a French CERT (again,
use 'translate if required).

I think these CERT warnings are poorly informed, incorrect, 
and lack a fundamental understanding of how RRL works. 

The mitigation proposed, instead of using RRL, is problematic:
"Managers of resolver DNS servers (!) could use monitoring to
detect unusual high amounts of DNS requests to detect an attack".
Right.

Unfortunately, CERT messages are sometimes seen as gospel
even when they are incorrect.

I'm not sure about what to do against spread of this misinformation.

Geert Jan



More information about the ratelimits mailing list