[ratelimits] dramatic effect of turning on RRL in BIND
pvlaar at afilias.info
Fri Dec 28 13:36:45 UTC 2012
I just wanted to share this graph showing the effect of RRL during an
attack that we were seeing to a node of ours not doing RRL yet on that
We're still seeing spikes of up to 180k DNS queries per second, but due
to the RRL we're now at a rather steady rate of 80% query drop. Biggest
percentage I've seen so far. It does appear that for this particular
attack the source (probably spoofed) addresses are a relatively small
subset, so RRL is particularly effective at keeping traction here.
We went from ~2.3Gb/s to less than 70Mb/s on the outbound after we
turned on RRL. We're running BIND 9.8.3-vjs197.16-P4 here, and these are
the RRL config settings:
Obviously this is a huge improvement for everyone involved.
I hope this is of interest or inspiration to anyone. If anyone wants to
know more details, let me know.
Much thanks goes to the developers!
Content Propagation and Resolution
e-mail: pvlaar at afilias.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: service-traffic-rrl-trim-20121228 .png
Size: 131610 bytes
Desc: not available
More information about the ratelimits