[ratelimits] dramatic effect of turning on RRL in BIND
Pierre Baume
pierre at netnod.se
Fri Dec 28 15:37:09 UTC 2012
Hi Paul,
Interesting, thanks for sharing!
Just out of curiosity, what's the color-coding on the graph (and/or does
it come from a standard package)?
Pierre.
On Fri, 28 Dec 2012 14:36:45 +0100, Paul Vlaar <pvlaar at afilias.info> wrote:
> Hi all,
>
> I just wanted to share this graph showing the effect of RRL during an
> attack that we were seeing to a node of ours not doing RRL yet on that
> particular nameserver.
>
> We're still seeing spikes of up to 180k DNS queries per second, but due
> to the RRL we're now at a rather steady rate of 80% query drop. Biggest
> percentage I've seen so far. It does appear that for this particular
> attack the source (probably spoofed) addresses are a relatively small
> subset, so RRL is particularly effective at keeping traction here.
>
> We went from ~2.3Gb/s to less than 70Mb/s on the outbound after we
> turned on RRL. We're running BIND 9.8.3-vjs197.16-P4 here, and these are
> the RRL config settings:
>
> rate-limit {
> responses-per-second 5;
> errors-per-second 5;
> window 15;
> slip 5;
> };
>
> Obviously this is a huge improvement for everyone involved.
>
> I hope this is of interest or inspiration to anyone. If anyone wants to
> know more details, let me know.
>
> Much thanks goes to the developers!
>
> ~paul
>
>
More information about the ratelimits
mailing list