[bind10-dev] Forwarding from auth, was ddns
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Tue Nov 29 18:49:00 UTC 2011
At Tue, 29 Nov 2011 18:43:14 +0100,
Michal 'vorner' Vaner <michal.vaner at nic.cz> wrote:
> > > Or would that be prone to DOS attacks?
> >
> > DoS attacks on what? As long as the communication is limited among
>
> I mean, if someone sends a burst of requests and overflows the queue
> (short-term), it would cause a drop of several packets and a reconnect, taking
> the server down for a short while (.5s). If it would be possible to do it often
> enough, then it would make the server unresponsive.
>
> Or does it sound unlikely to happen?
Ah, okay, that can happen, but I'd consider it something we need to
address not particularly in the context of attacks, because some kind
of service disruption could easily happen just when we have we have
heavy DDNS clients.
I think the general goal is to ensure the main auth server can keep
running however busy the entire system receiving DDNS requests. As
part of solutions for the goal we should consider cases where we need
to drop some DDNS requests. We should also consider a way to recover
from the case where the DDNS server component really hangs while being
careful not to overkill it. Such robustness will be necessary anyway,
and I guess that will cover both non-attack but excessive load and
attack scenarios.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-dev
mailing list