Skip to Content.
Sympa Menu

dns-operations - [opennic-dns-operations] Fwd: [dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool

dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

[opennic-dns-operations] Fwd: [dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool


Chronological Thread 
    < Chronological >      < Thread >
  • From: Julian DeMarchi <julian AT jdcomputers.com.au>
  • To: dns-operations AT lists.opennicproject.org
  • Subject: [opennic-dns-operations] Fwd: [dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool
  • Date: Mon, 25 Jun 2012 09:49:06 +1000


-------- Original Message --------
Subject: [dns-operations] ok, DNS RRL (rate limits) are officially,
seriously, cool
Date: Sat, 23 Jun 2012 23:19:35 +0000
From: Paul Vixie <paul AT redbarn.org>
To: dns-operations AT mail.dns-oarc.net <dns-operations AT mail.dns-oarc.net>



from the PNG graphic below you should be able to tell that this name
server (one of the "rove ip" or "dns changer" replacement dns servers;
the one responsible for what were once rove digital's chicago
properties) has been used for some kind of dns amplification attacks.
input is green, output is blue.

you should also be able to see that we installed the DNS RRL patches on
these servers at ~2300Z friday.

see <http://www.redbarn.org/dns/ratelimits> for the technical
specification, BIND administrator documentation, and BIND 9.8.latest and
9.9.latest patch files.

note that the server graphed below is an open recursive, and that we
don't really know how to rate limit these in a way that limits false
positives and false negatives, but we were desperate, so we used:

rate-limit {
responses-per-second 10;
window 10;
};

which is higher and deeper than what should be needed for an authority
DNS name server. (DNS RRL is only known-good for dns authority servers
-- so this example is an off-label use or "hail mary pass" which happens
to work out well.)

we're counting on the fact that nobody is running a home mail server or
web server using these recursive servers -- in other words we think
we're talking only to web browsers. opendns and googledns are likely way
smarter, and we're not (vernon schryver and myself) ready to certify the
current logic for recursive dns servers. you should put ACL's on your
recursive name servers to keep them from being used from off-network.
don't be an open recursive, in other words, unless you're as smart as
opendns and googledns about how to control abuse.

here are the graphs. i totally love this.

paul

_______________________________________________
dns-operations mailing list
dns-operations AT lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

  • [opennic-dns-operations] Fwd: [dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool, Julian DeMarchi, 06/24/2012

Archive powered by MHonArc 2.6.19.

Top of Page