On Sep 11, 2012, at 1:40 AM, Paul Vixie wrote: > On 2012-09-11 5:36 AM, Mohamed Lrhazi wrote: >> Nope. I have not, and am not using BIND unfortunately. But I guess you >> are saying: Limit responses to any client to some number per some time >> window. >> >> What would be an appropriate number, per what time window, to be >> effective and lesser the chances of false positives? > > the defaults are round numbers (10 similar responses per second per v4 > /24 or v6 /56, keep history for five seconds) and are shockingly > effective. Important Note: it's not responses per client, but rather, > responses per client network per response type, that must be limited. > you can't do the right thing in a firewall or other in-path device, you > get too many false negatives and false positives that way. the proposed > response is how you bucketize safely. > > i'll be happy to describe DNS RRL to your non-BIND implementor if they > want to know more about it. it's totally open, both the concept and the > implementation in C for BIND are BSD-licensed.
Hey all, I think it's great that we are rallying (as a community) to find ways to address these DNS-based DDoS attacks, but I'm a little worried about this specific way we are proposing to do it. That is, I think I either don't understand RRL, or I _do_ understand it, and worry about the correctness of the overall approach. So, can I just make sure I understand the RRL idea? If, under non-attack circumstances, I get a traffic rate of `r' from a given subnet, but an amplification attack sends me `99*r' (causing a total traffic rate of `100*r'), then I should rate limit? So, my back of the envelope calculation says that I will reward the attack traffic over the non-attack traffic. That is, if I limit the response rate back down to `r', then I will drop 99/100 responses to reach that target. My legitimate client (subnet) has only about a 1/100 chance of getting each query answered here (all other response slots are given to my adversary)... I think rate limiting is kind of the wrong direction. Did I misunderstand some aspect? Also, when you say, ``shockingly effective,'' how can we measure effectiveness, in order to verify the approach? Thanks, Eric _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
