At 16:40 -0400 8/18/04, Bill Sommerfeld wrote:
>With only one replica of a zone, it's easy -- if you hit a "green"
>name, the next name gets painted "yellow"; if you hit an "yellow"
>name, the reply spends some time in a penalty box and the next name
>gets painted "red"; if you hit a "red" name, the server gets creative;
>colors decay back to green over time.
>To generalize to multiple replicas, paint multiple subsequent names
>rather than just one; with a large enough window, with queries spread
>across N replicas, at least one replica must see an in-window value
>and the sequential-access detector will fire, derailing the scan on
>that server..
>Sensitivity to attack rate and false-positive rate can be adjusted by
>tweaking the window size, the color count and the decay timer..

While I admire the art of this, it grates against the spirit of what
I think DNS should be. That is a lightweight, core, etc., lookup

What concerns me the most is that to do this the server has to
maintain a query history. History is another word for state -
building up state is a problem for DOS defense. Building and
maintaining state is a lot of work - not at all light weight.

My other concern is that I've had bad experience with infrastructure
systems that try to guess the intent of the data stream. Especially
with DNS, where everything you put in the zone is meant to be
accessed. How do you detect the difference between a sudden external
event (like emergency response to a natural disaster) versus
malicious mining? What happens if you prevent first responders from
getting needed data?

Edward Lewis +1-703-227-9854
ARIN Research Engineer

"I can't go to Miami. I'm expecting calls from telemarketers." -
Grandpa Simpson.

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.