So based on the response below how critical is it to implement RRL via Bind RRL patch provided the servers resources are available? And where do I download this patch?
Rohan On Thu, 2 May 2013 22:16:51 GMT Vernon Schryver <v...@rhyolite.com> wrote: >> From: "Lawrence K. Chen, P.Eng." <lkc...@ksu.edu> > >> So does rate limiting cover when the attacker walks my DNS zone to >> attack an IP? > >that depends on what is meant by "rate limiting" and "walking a DNS zone". > >Simple rate limiting that counts all requests ostensibly from a >single IP address regardless of (qname,qtype) differs from response >rate limiting (RRL) which counts distinct responses. > >"Walking a zone" can differ from walking a zone's valid names (perhaps >based on NSEC RRs or arithmetic as in a reverse zone). > >Simple rate limit is required to mitigate zone walking for valid names >not based on a wildcard, because the valid responses differ for RRL. >If you read the BIND9 RRL documentation, then you will find that simple >rate limiting is supported by the BIND9 RRL patch. However, simple >rate limiting is best done in a separate firewall to avoid spending >CPU cycles, memory bandwidth, and other resources of the DNS server. > >Responses based on a wildcard or error responses such NXDOMAIN or >REFUSED responses are considered identical by RRL and so are limited >by the BIND RRL patch. > >On the other hand, an attack from ambitious bad guy who has built a >list of 1,000,000 triples of (qname,qtype,DNS server IP) and does not >hit any single DNS server more often than 5 requests/second will not >be detected by any of the servers and so cannot be mitigated at the >servers even with simple rate limiting. It is in a sense fortunate >that DNSSEC is still so rare that finding 1,000,000 DNS server IP >addresses with large amplification requires more effort than other >reflection mechanisms. > > >Vernon Schryver v...@rhyolite.com > >P.S. Maybe there should be an FAQ somewhere, because it seems as if > I've written something similar often enough to irritate others. >_______________________________________________ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
