Defense against a client?

Phil Mayers p.mayers at imperial.ac.uk
Tue Jan 17 09:47:07 UTC 2012 

On 01/17/2012 05:13 AM, Mark Andrews wrote:

>> If one sets up a infrastructure such that a large number of end users "share
>> the same fate" through having the same source address... then one should not
>> be surprised when these end users actually do share the same fate...
>>
>> -DMM
>
> Assuming that there is a single client on a single address has
> *never* been a valid assumption.  Security policies that assume
> that are *broken*.  Even with IPv6 this will not be a valid assumption
> though you may get to a single machine per address.  machine is
> still not client.

Surely the answer is "it depends"?

As far as I could see, the original poster didn't specify whether the 
server he was suffering load problems on was authoritative i.e. publicly 
accessible or recursive i.e. a known client base, although the 
circumstances suggest the latter.

If it's an authoritative server then he's got a hard problem to solve, 
but if it's recursive, then unless he's running a massive public access 
DNS system (unlikely, I feel) then he can probably state with some 
degree of assurance whether CGNs are between him and his clients.

In fact, I've been amazed to see this discussion progress without any 
references to the circumstances of the original poster, who stated quite 
clearly that the load from the malfunctioning clients was sometimes so 
high as to deny service for other clients.

Arguing the toss over whether per-IP rate-limiting is going to cause 
problems for legitimate users is a bit pointless when the DENIAL OF 
SERVICE his server is experiencing is ALREADY causing problems for all 
users, legitimate or not.

Per-IP rate-limiting can indeed cause problems for legitimate users. So, 
what would you suggest as an alternative? I suggest that, in front of an 
enterprise recursive server, it's appropriate and unlikely to cause 
harm, if the limit is set high enough to let all legit traffic through.

In the case of authoritative service for popular zones, or publicly 
accessible recursive services, per-IP limiting is unlikely to be 
appropriate. But likewise, those kinds of services are unlikely to 
suffer the same resource and architecture constraints - their operators 
can probably just deal with it, or implement some more sophisticated 
QNAME/IP/time window rate-limits.

Cheers,
Phil

More information about the bind-users mailing list