Response Rate Limiting
- Gary Leicht
A Domain Name Server (DNS) amplification and reflection attack is a type of distributed denial of service (DDoS) attack. The attack strategy uses publicly accessible, open DNS servers to overwhelm a targeted system with DNS response traffic. The attackers send spoofed requests to these servers using the victim’s address instead of the attacker’s address. Therefore, without a security countermeasure, all the DNS servers’ responses go to the victim.
When DFPs are under DNS Amplification/Reflection attack, DNS requests used for the attack should be rate limited or dropped. Protection of DNS forwarding proxy from DNS amplification and DNS reflection attacks ensures that DNS service will not be degraded, and that network bandwidth and other resources are not over-utilized.
Using Response Rate Limiting (RRL), the DNS Forward proxy can control excessive UDP responses that are the same or similar. The implementation of RRL in Infoblox Threat Defense is enabled by default, cannot be disabled and cannot be configured by users. The RRL ensures that not all of the DNS Forwarding Proxy’s resources are exhausted by a single DNS user. Using RRL, the network infrastructure is protected against DDoS attacks, resulting in no impact or degradation of services.