Received: by 10.66.83.35 with SMTP id n3mr4653119pay.23.1350462878496;
Wed, 17 Oct 2012 01:34:38 -0700 (PDT)
Path: s9ni17645pbb.0!nntp.google.com!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Phil Mayers <p.may...@imperial.ac.uk>
Newsgroups: comp.protocols.dns.bind
Subject: Re: about DNS RRL
Date: Wed, 17 Oct 2012 09:34:26 +0100
Lines: 33
Approved: bind-us...@lists.isc.org
Message-ID: <mailman.425.1350462878.11945.bind-users@lists.isc.org>
References: <507E69A5.3040106@riseup.net>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
X-Trace: usenet.stanford.edu 1350462878 28262 149.20.64.75 (17 Oct 2012 08:34:38 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-us...@lists.isc.org
Return-Path: <p.may...@imperial.ac.uk>
X-Original-To: bind-us...@lists.isc.org
Delivered-To: bind-us...@lists.isc.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:16.0) Gecko/20121010 Thunderbird/16.0.1
In-Reply-To: <507E69A5.3040106@riseup.net>
X-IC-MsgID: 1TOP59-0002UU-S9
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_PASS
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.pao1.isc.org
X-BeenThere: bind-us...@lists.isc.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>,
<mailto:bind-users-requ...@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users>
List-Post: <mailto:bind-us...@lists.isc.org>
List-Help: <mailto:bind-users-requ...@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>,
<mailto:bind-users-requ...@lists.isc.org?subject=subscribe>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
On 10/17/2012 09:17 AM, pangj wrote:
> I have read the document of redbarn RRL for BIND and this NSD RRL:
> https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
>
> I have a question that, since the DDoS to DNS are coming from spoofed
> IPs. But RRL is working based on source IP. So how can it stop the real
> life attack?
It doesn't stop it (indeed, can't). It mitigates the impact.
The DDoS tend to come from a fixed set of spoofed source at any one
time. RRL helps, in that it:
1. punts early in the path, lowering resolver CPU use, and
2. returns a minimal response, which prevents amplification.
Remember the DDoS is actually directed at the spoofed source, not the
DNS server. The DNS server is merely an unwilling participant. RRL helps
prevent that participation.
There is, as I understand it, some spotty evidence that the attackers
will move to a different server if RRL seems to be in use. How this
happens I don't know - maybe they probe with real IPs? - but I've heard
others emphatically claim this is not the case, and attackers will
continue to blindly flail at you until the attacking node goes down.
The only solution to these kinds of attacks is for providers to
implement BCP 38, and for upstream providers to start de-peering
providers who don't. I rate this about as likely as... a very unlikely
thing.
S/RTBH can help the DNS provider, if they're being overwhelmed and their
upstream supports it.
Message from discussion about DNS RRL
| Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2013 Google |