'[dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    [dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool
From:       paul () redbarn ! org (Paul Vixie)
Date:       2012-06-25 14:27:37
Message-ID: 4FE87559.7080606 () redbarn ! org
[Download RAW message or body]

On 2012-06-25 7:40 AM, Klaus Darilion wrote:
> 
> On 24.06.2012 01:19, Paul Vixie wrote:
> > 
> > 
> > 
> Nice. But I wonder why there is a drop-down of outgoing packets during
> an amplification attack. I would expect that outgoing traffic is
> constant. Maybe, in this case also legitimate queries are blocked
> (false positive).

it's hard to see on this graph, but on these servers, the output rate
for valid queries always suffers during an input spike. i don't see the
same depression on authority servers i run elsewhere. i believe that
what's happening is that the recursive servers can't hear their
cache-miss responses which are lost in the storm due to upstream path
congestion. vernon and i are researching this.

i would very much welcome similar graphs from other people using DNS RRL
in production (or who can test at those input volumes.)

also: if you are an operator feeling these attacks and you're able to
invest time and energy into helping to track them back, there's a
private ops-t work party ("madmax") that i'd like to invite you into.
let me know.

paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120625/1c3150d4/attachment-0001.htm>
                
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/bmp
Size: 637446 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120625/1c3150d4/attachment-0002.bin>
                
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/bmp
Size: 703302 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120625/1c3150d4/attachment-0003.bin>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic