[ratelimits] dramatic effect of turning on RRL in BIND

Paul Vlaar pvlaar at afilias.info
Fri Dec 28 13:36:45 UTC 2012

Hi all,

I just wanted to share this graph showing the effect of RRL during an
attack that we were seeing to a node of ours not doing RRL yet on that
particular nameserver.

We're still seeing spikes of up to 180k DNS queries per second, but due
to the RRL we're now at a rather steady rate of 80% query drop. Biggest
percentage I've seen so far. It does appear that for this particular
attack the source (probably spoofed) addresses are a relatively small
subset, so RRL is particularly effective at keeping traction here.

We went from ~2.3Gb/s to less than 70Mb/s on the outbound after we
turned on RRL. We're running BIND 9.8.3-vjs197.16-P4 here, and these are
the RRL config settings:

        rate-limit {
                responses-per-second 5;
                errors-per-second 5;
                window 15;
                slip 5;

Obviously this is a huge improvement for everyone involved.

I hope this is of interest or inspiration to anyone. If anyone wants to
know more details, let me know.

Much thanks goes to the developers!


Paul Vlaar
Content Propagation and Resolution

e-mail: pvlaar at afilias.info
phone: +1-416-673-4078
mobile: +31-6-506-306-35
-------------- next part --------------
A non-text attachment was scrubbed...
Name: service-traffic-rrl-trim-20121228 .png
Type: image/png
Size: 131610 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20121228/cdb6112a/attachment-0001.png>

More information about the ratelimits mailing list