On Thu, Feb 6, 2014 at 2:37 PM, Paul Vixie <[email protected]> wrote: > For example, if the authoritative provider www.example.com were to > implement RRL as you describe, then an attacker could spoof traffic > purporting to be from Google Public DNS, OpenDNS, Comcast ... etc, and > cause www.example.com to be un-resolvable by users of those resolvers. > > > no. it just does not work that way. >
O.k., so say I spoof 10M UDP queries per second and 10M TCP SYNs per second purporting to be from OpenDNS's IP address. Does RRL a) Let the queries and SYNs go answered. Or b) Rate limit the responses? If it's (a) RRL doesn't prevent the reflection. If it's (b) then you complete a denial of service attack against the OpenDNS users. Which is it? or what's option (c)? -- Colm
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
