[ratelimits] "on the time value of security features in dns"
Paul Vixie
paul at redbarn.org
Mon Sep 16 18:44:43 UTC 2013
...
Matthijs Mekking wrote:
> Hi Paul,
>
> On 09/16/2013 06:12 PM, Paul Vixie wrote:
>
> ...
>> slip=1 amounts to a self-DoS by the server operator against his own
>> server, since it encourages real victims to depend solely on TCP which
>> is way more fragile than UDP, and also bypasses the fundamental intent
>> of an RRL-using operator by which i mean it fails to make the RRL-using
>> server unattractive to bad guys.
>
> That is a nice additional consideration for people to take into account
> when making a decision for the slip configuration, thanks. Though I
> would like to see measurements of how much additional TCP traffic that
> really triggers towards the authoritative name server.
my point is that the attacker can easily cause tcp resource exhaustion
at the server, simultaneous with their attack, thus slip=1 opens the
door to a content denial attack simultaneous with the packet storm.
vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130916/fbffe16c/attachment.htm>
More information about the ratelimits
mailing list