12–13 May 2013
Burlington Hotel
Europe/Dublin timezone

Comparison of RRL behaviour in BIND9, Knot DNS, and NSD

12 May 2013, 12:20
20m
Burlington Hotel

Burlington Hotel

Connaught Suite, Upper Leeson Street, Dublin 4, Ireland
OARC Public Workshop

Speaker

Dave Knight (ICANN)

Description

In March 2013 an L-Root node in Hamburg, Germany received abnormal traffic over a prolonged period of time. Initial inspection of the traffic suggested that L was being used as an amplifier as part of a reflection attack. The short-term effects were mitigated using NSD RRL, which resulted in a decrease in outbound traffic that was noticeable, but smaller than we expected given anecdotal reports from other DNS operators using BIND9 RRL. Full packet captures of the request traffic were retained for further analysis. This retained data was used to replay the query traffic against a variety of authoritative servers that have implemented some form of response rate limiting, in order to compare the implementations from an operational perspective.

Summary

We present a brief analysis of abnormal traffic received, together with a detailed comparison of the operational effects of using RRL with BIND9, NSD and knot to mitigate the situation.

Primary author

Presentation materials