<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
<br>
Zane Thomas wrote:
<blockquote
cite="mid:CAM=p8h=+ZfNiU48GsFos9BM34vVdX_tVBosyXsAN14_f8t1rxA@mail.gmail.com"
type="cite">
<div><br></div>
Do you need the content of the out-going message or is it good enough to
know that a given ip is being sent more replies than it sent questions?</blockquote>
<br>
you absolutely have to know what the prospective response would be.
that's the point of RRL. if we could solve this with front end load
balancers which were not DNS-aware (and DNS content aware) we would do
it.<br>
<br>
paul<br>
<br>
re:<br>
<br>
<blockquote
cite="mid:CAM=p8h=+ZfNiU48GsFos9BM34vVdX_tVBosyXsAN14_f8t1rxA@mail.gmail.com"
type="cite">
<div><br><br><div class="gmail_quote">On Mon, Feb 11, 2013 at 12:59
PM, Paul Vixie <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:paul@redbarn.org" target="_blank">paul@redbarn.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"><br>
<br>
nudge wrote:<br>
> ...<br>
<div class="im">> "Attacks that justify ignoring the contents of DNS
responses are likely<br>
> to be attacks on the DNS server itself. They usually should be
discarded<br>
> before the DNS server spends resources make TCP connections or
parsing<br>
> DNS requesets, but that rate limiting must be done before the DNS
server<br>
> sees the requests."<br>
><br>
> What precisely does this mean in the context of response rate
limiting ?<br>
<br>
</div>if you have enough information at the firewall or gateway to be
able to<br>
stop an attack merely by counting packets per source address, then the<br>
attacks you'll be stopping are against your name server, not the ones<br>
that merely use your name server as a reflecting amplifier to attack<br>
somebody else (whose IP source addresses are getting spoofed toward<br>
you.) correspondingly, if you want to stop reflection attacks from using<br>
you as an amplifier, you need information that a gateway or firewall<br>
won't have, such as the content of the prospective DNS response.<br>
<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
ratelimits mailing list<br>
<a moz-do-not-send="true" href="mailto:ratelimits@lists.redbarn.org">ratelimits@lists.redbarn.org</a><br>
<a moz-do-not-send="true"
href="http://lists.redbarn.org/mailman/listinfo/ratelimits"
target="_blank">http://lists.redbarn.org/mailman/listinfo/ratelimits</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nullius
addictus jurare in verba magistri.
</div>
</blockquote>
</body></html>