> From: Matthijs Mekking <matth...@nlnetlabs.nl> > >> https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0 > >> > >> Page #12
> > I also wonder about the definition of "false positive." There are many > > plausible candidates. > > I agree. Basically it is a query from an attacker that is not being > dropped. That sounds like a "false negative" instead of a "false positive." A "false positive" would be dropping or "slipping" a legitimate or non-attack query. A "true positive" is correctly identifying and dealing with an attack packet. A "true negative" is correctly identifying and not harming a non-attack packet. https://www.google.com/search?q=false+positive http://www.mathsisfun.com/data/probability-false-negatives-positives.html https://en.wikipedia.org/wiki/Type_I_and_type_II_errors Perhaps "Slip 1" on page #12 refers to the RRL parameter. If I assume "False positives" means "truncated responses" (which are true positives instead of false positives), then all of the table except the "TCP responses" column makes sense. I have no idea what "TCP response" column means. > I know it has more to it than that. It might be a good idea to > define the term in the technical note. I can write some initial text, if > that is appreciated. I would a appreciate a few words here. I don't understand the graphs and tables, but I agree with the conclusions on page #20. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs