[ratelimits] RRL patches for 9.8.4 and 9.9.2
paul vixie
paul at redbarn.org
Mon Oct 22 18:29:12 UTC 2012
at <http://www.redbarn.org/dns/ratelimits> there are now patches for
BIND9 9.8.4 and 9.9.2. we are also announcing a new knob, described as
follows:
UDP responses of all kinds can be limited with the all-per-second
phrase. This rate limiting is similar to the rate limiting offered
by firewalls. When performed in a DNS server it is inferior to the
other rate-limit forms, because it ignores the contents of responses
to a block of IP addresses. The rate limiting provided by
responses-per-second, errors-per-second, and nxdomains-per-second
on a DNS server is often invisible to the victim of a DNS reflection
attack. Unless the forged requests of the attack are the same as
the legitimate requests of the victim, the victim's requests are
not affected. A all-per-second limit must be at least 4 times as
large as the other limits, because single DNS clients often send
bursts of legitimate requests. For example, the receipt of a single
mail message can prompt requests from an SMTP server for NS, PTR,
A, and AAAA records as the incoming SMTP/TCP/IP connection is
considered. The SMTP server can need additional NS, A, AAAA, MX,
TXT, and SPF records as it considers the STMP Mail From command.
paul and vernon
More information about the ratelimits
mailing list