On Dec 17, 2012, at 3:17 PM, Paul Vixie wrote: >> There is a patch available for rate-limiting inside BIND. > > see http://www.redbarn.org/dns/ratelimits for background, including > patches (which are not currently supported by ISC) and a technical note > (which looks a bit like an RFC that some day i hope RRL will deserve.)
For what it's worth, ARIN also came under an amplification attack recently. This was early last month. They were querying the heck out of ripe.net for which we provide secondary service. It's a nice, signed zone that's chunky on the outbound. We were able to completely mitigate the attack using Schryver & Vixie's ratelimiter BIND patch. It's working quite well for us. cheers, Matt _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
