[ratelimits] BIND9 DNS rate limit logging

Patrik Fältström paf at frobbit.se
Sat Jul 7 06:21:48 UTC 2012 

On 6 jul 2012, at 22:43, Vernon Schryver wrote:

> Another tactic would be:
> 
>  - all responses dropped or slipped (answered with TC=1) are logged
>     in the 'queries' category, one log entry per response, at the
>     INFO level.
> 
>  - one entry at the INFO level is sent to the 'rate-limit' category
>     for the first response dropped in a stream of responses.
> 
> That should result in
>  1. the 'queries' category gets the same, often very large number of lines
>      with or without rate limiting.
> 
>  2. the 'rate-limit' category gets one log entry per burst of identical
>      responses.
> 
>  3. a single request/response could result in separate log entries in both
>       the 'queries' and 'rate-limit' categories.  
> 
>  4. all responses are logged somewhere at least once, but if you don't
>       watch the 'queries' category, you don't have to see them all.
> 
> 
> Would this tactic answer the need for less verbose rate limit logging?
> 
> If so, would #2 be improved by generating one log entry per "window"
> seconds, so that an attack lasting two days would have 11,520
> 'rate-limit' log entries instead of only one in the first day's log file?
> (As the code is now, there will be 115,200 'rate-limit' category
> log entries for 10 attack qps or 1.1M entries for 100 qps)

One thing I have been looking for is "counting" both the number of blocked queries and the number of intervals where blocking occurs. And today we get the number of "windows", as we get the log entry when the window "opens" (i.e. when queries starts to get dropped in that window). You suggest getting data in the query category for also dropped queries which is good, but, it feels complicated to be forced to save the query category just to do the counting.

Could one also get a log entry when a window is opened again (i.e. when the blocking for that window stops) where also the cumulative number of dropped queries according to that window rule has been counted?

Maybe adding a counter is not possible at all (or take too much resources), but as you ask...

   Patrik

More information about the ratelimits mailing list