[c-nsp] rate limit dns
Gert Doering
gert at greenie.muc.de
Sun Dec 29 05:18:00 EST 2013
Hi,
On Sat, Dec 28, 2013 at 11:00:03AM -0800, MIke wrote:
> >Using any QoS mechanism, let alone an old, obsolete, unmaintained one like
> >CAR, to deal with DDoS isn't a good idea - programmatically-generated
> >attack traffic can 'crowd out' legitimate traffic.
>
> I am reasonably sure that for this one application - dropping floods of
> dns traffic - is a reasonable step.
Just want to say that I like this approach. Keep the Internet access
generally open, and only in case of "emergency" rate-limit what comes
in. In that case, yes, legitimate queries will suffer, but that is
still better than "always block that type of packet". IMHO.
(I might be a bit extreme on this, but I highly value the end-to-end
communication nature of the Internet, even if 99% of the subscribers
really do not make use of it, and see the Internet as some sort of
modern TV station. But still, I'm going to fight for a transparent
end-to-end Internet - which, just to state the obvious, does *not*
include the right for anyone to send attack traffic, and indeed,
ensuring the latter doesn't kill the former is not trivial)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20131229/b0b16bf2/attachment.sig>
More information about the cisco-nsp
mailing list