On 2012-12-17 7:57 PM, Patrick, Robert (CONTR) wrote: > ... > > Where some customers haven't implemented rate-limiting within BIND, > mitigation is available at the O/S and network layer. As an example, there > are connection limits that can be enforced with iptables on Linux. > Per-source-IP connection limits can also be restricted on Cisco ASA firewalls > (and likely other vendor products).
such rate limits are too coarse-grained for dns authority service. if you limit your request flows rather than your response flows, then your only choice is: too low, where a legitimate client asking a legitimately diverse set of questions, does not get reliable service; or, too high, where an attacker can get enough of your bandwidth directed at a victim to be damaging. OS-level rate limiting also lacks the ability to insert TC=1 responses on a statistical basis, thus transforming rate limiting into transaction delay rather than transaction loss. to make this work without breaking things, the rate limiting logic has to be within the server itself, and it has to be applied to responses not requests. > There is a patch available for rate-limiting inside BIND. see http://www.redbarn.org/dns/ratelimits for background, including patches (which are not currently supported by ISC) and a technical note (which looks a bit like an RFC that some day i hope RRL will deserve.) paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
