Reindl Harald <h.rei...@thelounge.net> writes: Am 16.12.21 um 14:22 schrieb Andrew P.: >> You don't understand what kind of blacklist I want; I want to blacklist the >> domain name >> being asked for, so I don't answer for it. I'm not looking to blacklist >> forged IP addresses >> of requestors (since we all know criminals don't use their own identities; >> they use the >> identities of innocent bystanders). >> >> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am >> not a rootserver, and never will be. > >AGAIN: you don't gain anything by not responding on a UDP protocol >because the client can't distinct no response and packet loss
AGAIN, the criminal DDoS attacker who's creating these forged requests isn't looking for replies to themselves; they're looking to abuse some poor victim. And the victim can't make the attacker shut up. >so you *increase* the load by retries on the client No, the attacker is going to send their packets as often as they feel like it regardless of whether I answer, and they won't know if the load on the victim is sufficient to crush them (or if I am participating), since the attacker isn't receiving the attack. They won't speed up on me just because I refuse to participate in their ugly little games because they won't know I'm not playing along (at least until they decide to attack _me_ instead of someone else). >don't get me wrong but you need to understand the implications of what >you are doing - for DOS attacks "Response Rate Limiting" was invented >and for non-DOS requests there isn't any valid reason to take action Please tell me what non-DOS requests would be asking _my_ name server to dump the root domain. I'm not running a caching-only public nameserver (such as an ISP might run for their customers), so _no_ _one_ should be asking my nameserver for the entire root domain. Even webcrawlers don't need to harrass non-root-nameservers for root domain information. Note I haven't done anything yet; I'm asking if there _is_ a way to do it presently implemented in Bind. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
