DDOS attack Bind 9.9 - P2

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Fri May 3 17:06:08 UTC 2013

----- Original Message -----
> > From: "Lawrence K. Chen, P.Eng." <lkchen at ksu.edu>
> > So does rate limiting cover when the attacker walks my DNS zone to
> > attack an IP?
> that depends on what is meant by "rate limiting" and "walking a DNS
> zone".
> Simple rate limiting that counts all requests ostensibly from a
> single IP address regardless of (qname,qtype) differs from response
> rate limiting (RRL) which counts distinct responses.
> "Walking a zone" can differ from walking a zone's valid names
> (perhaps
> based on NSEC RRs or arithmetic as in a reverse zone).

Well, if you had left the context of my reply in, it would be clear that I was referring to the RRL patch.

And, I said in my message that I don't know the details of the walking....the person relaying the incident to me didn't specify the kind of walking, which is why I said, "I'm curious what kind of walking it was doing".

Because I wondered whether all/mostly NXDOMAIN/NSEC3 responses would get limited.

I've played around with simple rate limiting before...on some caching servers...what a mess that turned out.  Since it was one host that was mainly being bad, it was easier to just block it....

>From what I was told of the incident...queries coming were from all over (from valid ranges), but the responses were all going to one IP.  So, IT Security didn't think they could do anything about it...except to ask why do we have DNS servers that are accessible from the Internet, and can they be blocked. ;-o

More information about the bind-users mailing list