On Thu, 2013-01-31 at 09:32 -0500, Keith Mitchell wrote: > There are more effective mitigation measures available, in particular I > would strongly recommend you have a look at: > > http://www.redbarn.org/dns/ratelimits > > For more information on this problem, and DNS rate-limiting patches > which are available for BIND and Unbound.
It's worth mentioning that DNS RRL prevents authoritative servers contributing to amplification attacks rather than helping at the target end. It could be described as making your authoritative servers less "attractive" to the attackers, because they won't generate anywhere near the same amount of traffic. However as Keith says, the best cure... > The real cure for this kind of problem is for ISPs to deploy BCP38, but > that's been pending for a decade or two now :-( ...isn't going to be implemented across the world any time soon. More, as they say, is the pity. Graeme
