DDOS attack Bind 9.9 - P2

rohan.henry at cwjamaica.com rohan.henry at cwjamaica.com
Fri May 3 16:08:38 UTC 2013

So based on the response below how critical is it to implement RRL via Bind RRL patch provided the servers resources are available? And where do I download this patch?


On Thu, 2 May 2013 22:16:51 GMT
 Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: "Lawrence K. Chen, P.Eng." <lkchen at ksu.edu>
>> So does rate limiting cover when the attacker walks my DNS zone to
>> attack an IP?
>that depends on what is meant by "rate limiting" and "walking a DNS zone".
>Simple rate limiting that counts all requests ostensibly from a
>single IP address regardless of (qname,qtype) differs from response
>rate limiting (RRL) which counts distinct responses.
>"Walking a zone" can differ from walking a zone's valid names (perhaps
>based on NSEC RRs or arithmetic as in a reverse zone).
>Simple rate limit is required to mitigate zone walking for valid names
>not based on a wildcard, because the valid responses differ for RRL.
>If you read the BIND9 RRL documentation, then you will find that simple
>rate limiting is supported by the BIND9 RRL patch.  However, simple
>rate limiting is best done in a separate firewall to avoid spending
>CPU cycles, memory bandwidth, and other resources of the DNS server.
>Responses based on a wildcard or error responses such NXDOMAIN or
>REFUSED responses are considered identical by RRL and so are limited
>by the BIND RRL patch.
>On the other hand, an attack from ambitious bad guy who has built a
>list of 1,000,000 triples of (qname,qtype,DNS server IP) and does not
>hit any single DNS server more often than 5 requests/second will not
>be detected by any of the servers and so cannot be mitigated at the
>servers even with simple rate limiting.  It is in a sense fortunate
>that DNSSEC is still so rare that finding 1,000,000 DNS server IP
>addresses with large amplification requires more effort than other
>reflection mechanisms.
>Vernon Schryver    vjs at rhyolite.com
>P.S. Maybe there should be an FAQ somewhere, because it seems as if
> I've written something similar often enough to irritate others.
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>bind-users mailing list
>bind-users at lists.isc.org

More information about the bind-users mailing list