On 11.09.2012 18:38, Vernon Schryver wrote:
The tuple <mask(IP), imputed(NAME), errorstatus> is used to select a >state blob. In the amplification attacks on our authoritative servers we >Thus, it may take some time until the attacker starts with domain1.com >again. If I understand the Responder Behavior correct, this would mean >that filtering is never triggered if a domain is not queried >RESPONSES-PER-SECOND times per second. Or do I miss something here?
>
I'm not sure I understand. If that points out that an attack that is too diffuse to be noticed by the BIND RRL code might be noticed by a firewall rule, then I agree. I'd also say that can be seen as a feature instead of a defect, because during less diffuse attacks, legitimate requests from the forged CIDR block will still be answered.
My concern was that the attack might be too diffuse to this RRL approach as with changing imputed(NAME) always a different state blob is chosen, thus a single attacker may generate lots of state blobs without triggering blocking.
Generally I agree that RRL is more generic and can deal also with new, not yet known attack scenarios. With the currently seen attack on our servers (ANY, RD bit set, port correlates with transcation ID), an iptables rule will be more efficient, but of course is limited to this single attack.
regards Klaus _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
