[ratelimits] BIND9 DNS rate limit logging

Vernon Schryver vjs at rhyolite.com
Sat Jul 7 15:15:22 UTC 2012 

> From paf at frobbit.se Sat Jul  7 14:19:58 2012

> If by "dropped" you imply "something that hit the a rate limit
> window", I think that is the counter I am asking for.

So you would be satisfied by a single counter for all responses that
are not sent as a result of rate limits?


> How do you remove buckets?

I'm a fan of lazy evaluation.  Buckets are recycled but never garbage
collected or scanned.  When a response is considered, its existing
bucket is found, created new if allowed by the limit on total buckets,
or created by recycling the oldest bucket belonging to another stream
of responses.  Each bucket is timestamped to support the token counting.


> For example, I have the following:
>
> rate-limit {
>   responses-per-second 5;
>   IPv4-prefix-length 8;
>   window 200;
>   slip 10;
> };
>
> Are you logging as rate limit _every_ query that is dropped due to
> this rule today?

In the current code, every dropped response is logged in the 'rate-limit'
category.  I propose new code that logs every dropped response in the
'queries' or 'query-errors' category, and the start and 1 minute
marks for each (CIDR block,qtype,qname) in the 'rate-limit' category.


> > It repeats the "rate-limit" log entry
> > once every 60 seconds while the dropping of that stream continues so
> > that a continuing attack is not missed as log files are rotated.
>
> Is it possible to also get in each such log entry "number of hits"
> the last 60 seconds?

By Church's Thesis, anything you can describe cogently is possible,
but I'd rather not do that.  One issue is that the missing last log
entry when the dropping stops would make the counts inaccurate.
My real objection is that it would cost 4 additional bytes in every
bucket.  I'm trying to keep the buckets small to limit the total memory
spent on buckets by a busy server.  Every distinct (CIDR block,qtype,qname)
considered during 'window' seconds wants its own bucket.  So unless
it is important, I'd rather not.

Your "IPv4-prefix-length 8" might make any counts in the proposed
rate-limit category messages less interesting.  They would reflect 
total hits per minute for the (class-A,qtype,qname).
I suspect what you want first is a report of hits/minute for each
active IP address regardless of request.


thanks,
Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list