[ratelimits] dramatic effect of turning on RRL in BIND

Pierre Baume pierre at netnod.se
Fri Dec 28 15:37:09 UTC 2012

Hi Paul,

   Interesting, thanks for sharing!

   Just out of curiosity, what's the color-coding on the graph (and/or does  
it come from a standard package)?


On Fri, 28 Dec 2012 14:36:45 +0100, Paul Vlaar <pvlaar at afilias.info> wrote:

> Hi all,
> I just wanted to share this graph showing the effect of RRL during an
> attack that we were seeing to a node of ours not doing RRL yet on that
> particular nameserver.
> We're still seeing spikes of up to 180k DNS queries per second, but due
> to the RRL we're now at a rather steady rate of 80% query drop. Biggest
> percentage I've seen so far. It does appear that for this particular
> attack the source (probably spoofed) addresses are a relatively small
> subset, so RRL is particularly effective at keeping traction here.
> We went from ~2.3Gb/s to less than 70Mb/s on the outbound after we
> turned on RRL. We're running BIND 9.8.3-vjs197.16-P4 here, and these are
> the RRL config settings:
>         rate-limit {
>                 responses-per-second 5;
>                 errors-per-second 5;
>                 window 15;
>                 slip 5;
>         };
> Obviously this is a huge improvement for everyone involved.
> I hope this is of interest or inspiration to anyone. If anyone wants to
> know more details, let me know.
> Much thanks goes to the developers!
> 	~paul

More information about the ratelimits mailing list