On 12/18/2012 7:55 AM, Stephane Bortzmeyer wrote: > On Mon, Dec 17, 2012 at 08:17:18PM +0000, > Paul Vixie <[email protected]> wrote > a message of 33 lines which said: > >> if you limit your request flows rather than your response flows, >> then your only choice is: too low, where a legitimate client asking >> a legitimately diverse set of questions, does not get reliable >> service; > In theory, you're right. In practice, the attacks of *today* are quite > simple and quite separate from normal DNS traffic (nobody asks "ANY > isc.org" in the real world, except the attackers).
any time spent matching on things like bufsize=9000 is worse than wasted. even the lowest quality attacker can change it to 9001 at the start of a long holiday weekend. my rule of thumb is, don't install stuff that's not worth significant lab time up front. your attackers can adapt; so must your defense. > I appreciate the BIND RRL patch and it is obvious to me that we must > continue the research in dDoS mitigation, but let's not drop the > mitigations techniques that work *today*. (The attackers are not > superhuman, they use imperfect techniques.) when i said that setting the per-requestor quota high enough to avoid false positives would give attackers enough capacity to cause real injury, i'm speaking from direct experience with f-root. believe me when i tell you, if we could solve this in the kernel, without a process context switch, without a user mode data copy... we would. that is, *today* we have attackers who can adapt to per-requestor quotas who have not yet adapted to per-response-flow quotas. >> see http://www.redbarn.org/dns/ratelimits for background, including >> patches (which are not currently supported by ISC) > In actual deployments, some people may be unwilling or unauthorized > (corporate policy) to install "unofficial" patches on a production > server. That's why we should not reject blindly the OS-level rate > limiters (see my mini-HOWTO in this thread). i encourage anyone who needs RRL in BIND and who can't run "patches" to contact ISC and inquire about support options. paul -- "When challenging a Kzin, a simple scream of rage will suffice. You scream and you leap." _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
