[ratelimits] dramatic effect of turning on RRL in BIND

Groups groups at obsd.us
Fri Dec 28 15:45:06 UTC 2012


Ditto here
What are you using for your graphs?
Thx
CT

On 12/28/2012 09:37 AM, Pierre Baume wrote:
> Hi Paul,
>
>    Interesting, thanks for sharing!
>
>    Just out of curiosity, what's the color-coding on the graph (and/or
> does it come from a standard package)?
>
> Pierre.
>
>
> On Fri, 28 Dec 2012 14:36:45 +0100, Paul Vlaar <pvlaar at afilias.info> wrote:
>
>> Hi all,
>>
>> I just wanted to share this graph showing the effect of RRL during an
>> attack that we were seeing to a node of ours not doing RRL yet on that
>> particular nameserver.
>>
>> We're still seeing spikes of up to 180k DNS queries per second, but due
>> to the RRL we're now at a rather steady rate of 80% query drop. Biggest
>> percentage I've seen so far. It does appear that for this particular
>> attack the source (probably spoofed) addresses are a relatively small
>> subset, so RRL is particularly effective at keeping traction here.
>>
>> We went from ~2.3Gb/s to less than 70Mb/s on the outbound after we
>> turned on RRL. We're running BIND 9.8.3-vjs197.16-P4 here, and these are
>> the RRL config settings:
>>
>>         rate-limit {
>>                 responses-per-second 5;
>>                 errors-per-second 5;
>>                 window 15;
>>                 slip 5;
>>         };
>>
>> Obviously this is a huge improvement for everyone involved.
>>
>> I hope this is of interest or inspiration to anyone. If anyone wants to
>> know more details, let me know.
>>
>> Much thanks goes to the developers!
>>
>>     ~paul
>>
>>
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits


More information about the ratelimits mailing list