Vernon Schryver <[email protected]> wrote: > Klaus Darilion <[email protected]> wrote: > > > The tuple <mask(IP), imputed(NAME), errorstatus> is used to select a > > state blob. In the amplification attacks on our authoritative servers we > > see only valid requests without duplication, [...] > > > Thus, it may take some time until the attacker starts with domain1.com > > again. If I understand the Responder Behavior correct, this would mean > > that filtering is never triggered if a domain is not queried > > RESPONSES-PER-SECOND times per second. Or do I miss something here? > > I'm not sure I understand. If that points out that an attack that is > too diffuse to be noticed by the BIND RRL code might be noticed by a > firewall rule, then I agree. I'd also say that can be seen as a feature > instead of a defect, because during less diffuse attacks, legitimate > requests from the forged CIDR block will still be answered.
I don't think "diffuse" is the right word - this kind of attack can be very intense. If you have a large domain signed with NSEC it's trivial for an attacker to enumerate the domain, and RRL will not treat this as an attack. Or of you are a large scale DNS hosting provider the attacker can get a list of domains you host from copies of TLD zones. Having got a list of names, the attacker can then reflect lots of traffic via your server which will be treated as OK by RRL. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
