On 02/20/2013 08:48 AM, Jan-Piet Mens wrote: > FYI, a paper (Feb 2013) titled "Defending against DNS reflection > amplification attacks" at [1].
Interesting. Since the problem with RRL at low NXDomain ratio is the number of buckets, i.e. names queried, perhaps it would be possible to limit the number of buckets by grouping names together for the purpose of assigning the bucket? E.g. a name server could adaptively assign names to a limited number of groups so that each group gets roughly the same amount of qps (or total sum of RRL score of the constituent domains) and then use the group id instead of a name as a bucket key. Or if this added complexity is too high, perhaps just (semi) random assignment of group id to a name on zone reload would be sufficient. Jaroslav Benkovsky _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
