On 2012-06-11 5:46 PM, Olafur Gudmundsson wrote: > Paul, > how about much simpler configuration option to force all > any queries to be reissued over TCP, > restrict-any-udp "yes/no";
i think somebody has patented that. while i'm not a lawyer i don't think the RRL patch set runs afoul of that patent, since our innovation is the slip rate. > And have Bind reply with TC=1 and empty answer section on ANY UDP > queries. > This is simple, no state needed, no firewall rules, and gets rid of > spoofed addresses. > > Olafur if an attacker is spoof-querying a victim's client-ip and the packet rate is high enough to warrant rate limiting, then the packet headers (ip, udp, dns, query) are heavy enough to damage the victim. so, even without amplification, there is still a major problem with reflection. the normal udp retry rate for healthy non-spoofed query traffic is perfect for us. the slip rate method in RRL has a good chance of answering the few real query-tries while ignoring the rest. thanks for your questions; more are welcome. and it's time to broaden the testing. i'm about to announce RRL; i will use a new thread to do it in. paul _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
