[c-nsp] rate limit dns
Gert Doering
gert at greenie.muc.de
Wed Jan 1 07:21:00 EST 2014
Hi,
On Tue, Dec 31, 2013 at 09:34:17PM +0000, Dobbins, Roland wrote:
> Also, if you're on the designated-target leg of a DNS reflection/amplification attack, in most (not all; directly-spoofed ANY attacks and the like, which don't involve open recursors, are the exception) cases, you're receiving traffic from open recursors, not authoritative severs, and the sources you end up blocking are open recursors, not authoritative servers.
Attackers have long started to use authoritatives as well. Which is why
Paul Vixie's RRL or Lutz Donnerhacke's dampening patches for BIND exist.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140101/90424e5f/attachment.sig>
More information about the cisco-nsp
mailing list