[ratelimits] BIND9 DNS rate limit logging
Patrik Fältström
paf at frobbit.se
Sat Jul 7 20:53:01 UTC 2012
On 7 jul 2012, at 17:15, Vernon Schryver wrote:
> My real objection is that it would cost 4 additional bytes in every
> bucket.
Agree with this concern.
> I'm trying to keep the buckets small to limit the total memory
> spent on buckets by a busy server. Every distinct (CIDR block,qtype,qname)
> considered during 'window' seconds wants its own bucket. So unless
> it is important, I'd rather not.
What one wants is some data, in an as simple way as possible, some statistics over what crap actually hits the server.
One can log queries, and then post-process to create the counters, but that is a waste of disk and CPU in the post processing.
But, just to get _some_ statistics that tell how the attacks are going up/down is helpful.
> Your "IPv4-prefix-length 8" might make any counts in the proposed
> rate-limit category messages less interesting. They would reflect
> total hits per minute for the (class-A,qtype,qname).
Today, I do things like this to get some understanding of what is going on:
#grep 'rate limiting' named.log > ~paf/ratelimiting.log
#for i in 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30; do echo -n "$i June" ; grep $i-Jun-2012 ~paf/ratelimiting.log | wc -l; done
11 June 8985
12 June 23516
13 June 15984
14 June 13735
15 June 24994
16 June 11786
17 June 14847
18 June 14318
19 June 29950
20 June 17569
21 June 20001
22 June 12691
23 June 9486
24 June 7260
25 June 8809
26 June 7226
27 June 1422
28 June 481
29 June 689
30 June 262
#for i in 1 2 3 4 5 6 7; do echo -n "0$i July" ; grep 0$i-Jul-2012 ~paf/ratelimiting.log | wc -l; done
01 July 1916
02 July 2755
03 July 2541
04 July 1723
05 July 2189
06 July 2247
07 July 1586
#
Patrik
More information about the ratelimits
mailing list