> From: Olafur Gudmundsson <o...@ogud.com>
> ...
> If a traffic reducer turns on TC bit in its responses, then if no
> TCP connection is completed during the next N seconds,
> the reducer can go to full drop mode.
Should the DNS RRL patch stop "slipping" truncated (TC=1) responses
if it seems that no TCP requests have been seen from the CIDR block
within "window" seconds?
pro:
- it would help answer concerns about contributing to the DoS attack,
because some of the "slipped" responses are to forged requests.
- surely some DNS reflection DoS CIDR block targets lack DNS
servers and the truncated responses only harm them.
con:
- it's not strictly necessary and might not be justified by its
code and potentical bugs.
- the truncated responses are infrequent and small enough that
they might not matter.
- small reflection DoS targets might be sending fewer than 1 request
per window seconds, and so would miss the false positive mitigation
effects of the truncated responses.
- even large reflection DoS targets might be sending fewer than 1 request
per window seconds to most DoS reflectors and so would miss the
false positive mitigation effects of the truncated responses.
- for obvious as well as obscure implementation reasons, the "TCP seen"
indicator would have a few errors in the "none seen" direction.
I've a detailed sketch of the necessary changes to the code, but
I'm inclined to forget them.
Opinions should probably be expressed in the RRL mailing list at
ratelim...@lists.redbarn.org or
http://lists.redbarn.org/mailman/listinfo/ratelimits
instead of the dns-operations mailing list.
Vernon Schryver v...@rhyolite.com
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
