> From: glen wiley <glen.wi...@gmail.com> > This seems like a degenerate case to me...there is a threshold below which > attacks > are no longer meaningful. For most name servers I suspect that an attack > is only > interesting at some rate well above 10's of qps.
The DNS RRL is less about defending a DNS server than the victims of the server. Only small or at most modest DoS attacks on a name server would be helped by dropping responses. One of the most effective family of DoS attacks against a name server is explicitly not addressed by the DNS RRL code. (There's no profit in enumerating attacks against DNS servers themselves or flogging their details here.) DNS RRL is mostly about mitigating DNS amplified reflection attacks in which an attacker bounces packets off DNS servers toward the real target and the DNS servers reflect or send many more bits toward the real target than they receive from the attacker. For example, a request for a DNSSEC validated A record for asdf.isc.org from a recursive resolver sends about 14 times as many bytes (~700) toward the supposed source than were in the original request (~50). > As a name server operator not only am I not likely to see anything odd in > an attack > like that, I really don't have the time or inclination to care about > volumes in that > range. My DNS servers are certainly not what I'd call busy, but I'd probably not notice an extra 100 qps for days. However, a bad guy could send each of 1000 DNS servers 100 41-byte queries forged from 10.2.3.4 per second for a total of 32 Kbit/sec. Each of those requests would normally result in about 700 to more than 2000 bytes depending on the query. 10.2.3.4 would see 0.6 Gbps to 1.6 Gbit/sec. A discouraging fact is that rate limiting doesn't help if the bad guy uses a list of 100,000 or 1,000,000 servers and only 1 or 0.1 forged query/sec. The only hope is that by the time the bad guys get smart and ambitious enough to use millions of reflectors, BCP38 will be so common that the sending systems can be found and quenched. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs