Speaker
Dave Knight
(ICANN)
Description
In March 2013 an L-Root node in Hamburg, Germany received abnormal traffic over a prolonged period of time. Initial inspection of the traffic suggested that L was being used as an amplifier as part of a reflection attack. The short-term effects were mitigated using NSD RRL, which resulted in a decrease in outbound traffic that was noticeable, but smaller than we expected given anecdotal reports from other DNS operators using BIND9 RRL.
Full packet captures of the request traffic were retained for further analysis. This retained data was used to replay the query traffic against a variety of authoritative servers that have implemented some form of response rate limiting, in order to compare the implementations from an operational perspective.
Summary
We present a brief analysis of abnormal traffic received, together with a detailed comparison of the operational effects of using RRL with BIND9, NSD and knot to mitigate the situation.
Primary author
Dave Knight
(ICANN)
