Jack Bates <jbates@brightok.net> wrote:
You'll also find that [DNS RRL] serves little purpose.
In my experience it works extremely well. Yes it is possible to work around it, but you still need to stop the attacks that are happening now. It is good to make the attacker's job harder.
1) tcp
RRL pushes legitimate clients to TCP if they get muddled up with attack traffic.
2) require all requests to pad out to maximum response
I expect that is as easy to deploy as BCP38, IPv6, and DNSSEC.
3) BCP38 (in spirit)
That should be deployed as well as RRL. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.