Re: DNS ANY requests from Amazon?
Paul Vixie <paul@...
2012-12-18 15:25:24 GMT
On 12/18/2012 7:55 AM, Stephane Bortzmeyer wrote:
> On Mon, Dec 17, 2012 at 08:17:18PM +0000,
> Paul Vixie <paul@...> wrote
> a message of 33 lines which said:
>> if you limit your request flows rather than your response flows,
>> then your only choice is: too low, where a legitimate client asking
>> a legitimately diverse set of questions, does not get reliable
> In theory, you're right. In practice, the attacks of *today* are quite
> simple and quite separate from normal DNS traffic (nobody asks "ANY
> isc.org" in the real world, except the attackers).
any time spent matching on things like bufsize=9000 is worse than
wasted. even the lowest quality attacker can change it to 9001 at the
start of a long holiday weekend. my rule of thumb is, don't install
stuff that's not worth significant lab time up front. your attackers can
adapt; so must your defense.
> I appreciate the BIND RRL patch and it is obvious to me that we must
> continue the research in dDoS mitigation, but let's not drop the
> mitigations techniques that work *today*. (The attackers are not
> superhuman, they use imperfect techniques.)
when i said that setting the per-requestor quota high enough to avoid
false positives would give attackers enough capacity to cause real
injury, i'm speaking from direct experience with f-root. believe me when
i tell you, if we could solve this in the kernel, without a process
context switch, without a user mode data copy... we would. that is,
*today* we have attackers who can adapt to per-requestor quotas who have