[ratelimits] ratelimiting /24 for <tld>

Vernon Schryver vjs at rhyolite.com
Sat Jul 7 19:10:17 UTC 2012 

> From: Tony Finch <dot at dotat.at>

> I'm afraid I mixed up two separate issues in my original message - the TLD
> oddity and the NSEC oddity. I understand the need for protecting against
> random-name attacks. Weirdly, if I hammer on a nonexistent name, I get
> rate-limited based on the enclosing NSEC record, but if I do a random name
> attack on an authoritative zone I get limited based on the zone apex. Is
> the rrl code being called more than once per query?

I think I don't understand first part of that question.
A recursive server can check rate limiting more than once or each time
it tries to answer the request, the first time and after each attempt
at recursion.


> Note that in the above log extract the rate limiter is throttling positive
> answers, so the question of random attacks should not be relevant.

It is not clear to me that it is throttling final positive answers.


> I was under the impression that the hash table key for positive answers
> was QNAME,QTYPE,client, not some other name.

We are rate limiting responses instead of requests and so the
key is not exactly (QNAME,QTYPE,client).
If the key were (QNAME,QTYPE,client), then we could not rate limit
random names.  It is (closest name,qtype,client).
For non-error responses from an authoritative server, the closest
name is the same as the QNAME.  They can differ in other cases.


> Here's an example of a real false positive from earlier in the day. There
> were 40 queries in the two seconds before the rate limiter kicked in, but
> they were for different names.
> ...

What is the false positive in those lines?
Are the requests for verisign, twitter, and other names other than
feedburner and google relevant?  I don't see any requests for feedburner.
I do see several different google.com names.

I see only one rate limiting line but it is for ocsp.thawte.com at 13:39:01
That it is a lot more than 10 seconds after first line at 13:37:24
and that there no preceding requests for thawte.com bothers me.


Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list