On Mon, Dec 17, 2012 at 08:17:18PM +0000, Paul Vixie <p...@redbarn.org> wrote a message of 33 lines which said:
> if you limit your request flows rather than your response flows, > then your only choice is: too low, where a legitimate client asking > a legitimately diverse set of questions, does not get reliable > service; In theory, you're right. In practice, the attacks of *today* are quite simple and quite separate from normal DNS traffic (nobody asks "ANY isc.org" in the real world, except the attackers). I appreciate the BIND RRL patch and it is obvious to me that we must continue the research in dDoS mitigation, but let's not drop the mitigations techniques that work *today*. (The attackers are not superhuman, they use imperfect techniques.) > OS-level rate limiting also lacks the ability to insert TC=1 > responses on a statistical basis, thus transforming rate limiting > into transaction delay rather than transaction loss. Yes. > see http://www.redbarn.org/dns/ratelimits for background, including > patches (which are not currently supported by ISC) In actual deployments, some people may be unwilling or unauthorized (corporate policy) to install "unofficial" patches on a production server. That's why we should not reject blindly the OS-level rate limiters (see my mini-HOWTO in this thread). _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
