Internet Systems Consortium (ISC) announces that the RRL module, currently the most effective defense against the use of DNS in Distributed Denial of Service attacks, is now part of the upcoming BIND release.
A DNS DDoS attack works by forging queries that look like they came from the victim’s server, making it appear to be requesting a high volume of information. RRL enables server administrators to limit the rate at which their server will send replies to forged queries, thereby preventing it from contributing to the attack. The frequency of DNS DDoS attacks has been increasing, rising by 20% in Q2 of 2013. In an average attack 50 million packets per second are beamed at the victim. As attacks increase, RRL is the best defense available.
“Our users have been asking for RRL to be incorporated into BIND,” said Kannan Ayyar, President of Internet Systems Consortium, “and we recognize the important role it plays in DDoS mitigation. With DDoS attacks increasing in both number and severity, we felt it was important to integrate RRL into a supported release.”
“We have been testing RRL in limited release, and are now confident that it is ready for general use in BIND installations,” said Scott Mann, ISC’s VP of Engineering. “Third-party additions like RRL are possible because BIND is open source software. Now that it is fully implemented, we look forward to enhancing and building on RRL in future releases.”