[nsd-users] NSD and Reflection Rate Limiting.

Olaf Kolkman olaf at NLnetLabs.nl
Mon Oct 8 14:17:34 CEST 2012



Dear NSD Users,
 
Recently, specifically in TLD operator circles, there has been a lot of discussion on the use of authoritative servers for reflection attacks.
 
We have been following these discussions with questions about the core-functionality of DNS, NSD's lean-mean-thus-secure architecture, and good neighbourship in mind. We considered an external and generic tool to deal with reflection but assessed that having a method to prevent reflection attacks within the name server is the best way to lower deployment hurdles. Therefore, we have decided to incorporate a technique to deal with reflection attacks in NSD.
 
The technique is inspired on the work done by Vixie & Schryver [1] but will, because of biological diversity arguments, differ in some of its implementation details. Of course, it will be written from scratch by NLnet Labs. In the near future you may expect a blog-post on  http://www.nlnetlabs.nl/blog/ with a description of the design.
 
We have prioritized this work and expect to have code available within a few months.

Thank you for using NSD.
 
-- Olaf Kolkman


[1] http://ss.vix.com/~vixie/isc-tn-2012-1.txt



NLnet
Labs
Olaf M. Kolkman

www.NLnetLabs.nl
olaf at NLnetLabs.nl

Science Park 400, 1098 XH Amsterdam, The Netherlands



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://open.nlnetlabs.nl/pipermail/nsd-users/attachments/20121008/7acc3d8b/attachment.html>


More information about the nsd-users mailing list