rate limiting (Re: Open DNS Resolver reflection attack Mitigation)

[Paul Vixie <vixie () isc org>]

Joe Maimon <jmaimon () ttec com> writes:

> Is there any publicly available rate limiting for BIND?
>
> How about host-based IDS that can be used to trigger rtbh or iptables?
>
> Google and Level3 manage to run open resolvers, why cant I?

rate limiting on recursive servers is complicated by the lack of caching
in most stub resolvers and applications. this makes it hard to tell by
pure automation when a request flow is a spoof-source attack and when not.

for most of us this isn't a problem since we'll put access control lists
on our recursive name servers, only allowing queries from on-campus or
on-net.

for intentionally open resolvers, i expect there's a lot of monitoring
and hand tuning, and that many deliberately low-grade attacks get by.

noting that there are at least 15 million open recursive servers (most in
low-quality CPE boxes front-ending cable or DSL links), an attacker has
a long menu of places to send a small number of queries (to each) so that
any rate limiting done by any one of the open recursive servers would not
defend any victims against spoofed-source.

spoofed-source is becoming wildly more popular. that's probably where to
fix this. also the 15 million open recursives would be good to see fixed.

at the moment most attacks are using authority servers, where it's far
easier to automatically tell attack flows from non-attack flows. 

-- 
Paul Vixie
KI6YSY