On Tue, Sep 11, 2012 at 12:45 PM, Phil Regnauld <[email protected]> wrote: >> During real attacks, if a packet makes it to the dns server, the game is >> already lost. > > If you've got a cluster of anycast boxes behind a set of stateful > firewalls, chances are you'll run out of states way before you exhaust > what the DNS farm is capable of pushing out. At least that's what I've > seen. Common wisdom is to let the DNS server deal with it, but I don't > work where you work :)
Some state is useful, the rate-limit patches we're seeing here are themselves an example of stateful filtering, but with minimal state. Other good examples include using counting bloom filters, or hash-limit targets (effectively the same thing). Enforcing traditional protocol state; e.g. TCP transmission window enforcement, or UDP "connection" emulation is definitely unwise. -- Colm _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
