[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Tue Dec 31 16:34:17 EST 2013


On Jan 1, 2014, at 4:13 AM, Mack McBride <mack.mcbride at viawest.com> wrote:

> Recursive servers have to be able to receive responses from anywhere on the internet.

Hence 'external resolvers', mentioned in my post.

<https://app.box.com/s/72bccbac1636714eb611>

> Nor can RTBH stop a true DDoS.

S/RTBH can, up to the point that the number of sources becomes unmanageable.  Hence, 'other mechanisms', mentioned in my post.

>  That is the 'distributed' part that is the first D. Nor will it stop a reflection attack, which is even more damaging because then you are blocking important authoritative DNS servers.

Again, hence 'other mechanisms', mentioned in my post.

Also, if you're on the designated-target leg of a DNS reflection/amplification attack, in most (not all; directly-spoofed ANY attacks and the like, which don't involve open recursors, are the exception) cases, you're receiving traffic from open recursors, not authoritative severs, and the sources you end up blocking are open recursors, not authoritative servers.

If your external resolvers are open recursors and are being abused, then you need to remediate them.

> As an ISP operator, I can tell you that your solution will only work for someone whose customers can't leave for another provider.

As someone who's worked with many ISPs to successfully mitigated many extremely large-scale and complex DNS-related DDoS attacks, including 100gb/sec+ reflection/amplification attacks, I can assure you that I do in fact understand the issues involved and how to deal with them.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list