[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Fri Jan 3 04:22:59 EST 2014


On Jan 3, 2014, at 4:15 PM, Eugeniu Patrascu <eugen at imacandi.net> wrote:

> Maybe I should try this again: what I said was that on the recursive resolvers dedicated for your clients you can add an extra layer of protection in terms of dropping fake responses targeted at those servers by the means of a local firewall setup on each box, not on a gateway like box.

I understand; this is a Very Bad Idea, for the reasons mentioned previously.

> What I'm arguing against is the idea of rate limiting a service just because it might be attacked and have your customers play the lottery with their queries and try again if their packets are lost due to rate limiting.

RRL is intended for authoritative servers, absolutely.  There are other mechanisms which can be used to protect recursive servers from abuse from the customer side, starting with S/RTBH.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list