Skip to content

Response Rate Limiting

Jump to bottom Edit New page
secure411dotorg edited this page Sep 25, 2013 · 2 revisions

####Response Rate Limiting

Prevent your DNS servers being used by malicious actors in amplification attacks by adding RRL (Response Rate Limiting).

Malicious actors can send queries to your server that have a false origin IP address. That fake origin aka spoofed IP address is the intended victim of their attack. Your server then replies to the victim IP, increasing the traffic at the victim's endpoint.

To avoid this, rate limit your DNS server responses. Legitimate queries to your server will be answered ok and cached by the legitimate query sources. They won't be asking again until the cache expires.

####Where to get Response Rate Limiting

If you want to test the feature before deploying to production, or you want to run your DNS server from Amazon Web Services, try the AMI we created for RPZ + RRL. (Search community AMIs in your http://aws.amazon.com ec2 console for the term rpzone.)

RedBarn.org provides the simple instructions of how to configure RRL and a link to the mailing list interest group. A list of DNS server software that supports response rate limiting is also kept on that page.

Back to Resources for Network Clean Up

Add a custom footer
Add a custom sidebar
Clone this wiki locally