[ratelimits] RRL patches for 9.8.4 and 9.9.2

paul vixie paul at redbarn.org
Mon Oct 22 18:29:12 UTC 2012

at <http://www.redbarn.org/dns/ratelimits> there are now patches for
BIND9 9.8.4 and 9.9.2. we are also announcing a new knob, described as

 UDP responses of all kinds can be limited with the all-per-second
 phrase. This rate limiting is similar to the rate limiting offered
 by firewalls. When performed in a DNS server it is inferior to the
 other rate-limit forms, because it ignores the contents of responses
 to a block of IP addresses. The rate limiting provided by
 responses-per-second, errors-per-second, and nxdomains-per-second
 on a DNS server is often invisible to the victim of a DNS reflection
 attack. Unless the forged requests of the attack are the same as
 the legitimate requests of the victim, the victim's requests are
 not affected. A all-per-second limit must be at least 4 times as
 large as the other limits, because single DNS clients often send
 bursts of legitimate requests. For example, the receipt of a single
 mail message can prompt requests from an SMTP server for NS, PTR,
 A, and AAAA records as the incoming SMTP/TCP/IP connection is
 considered. The SMTP server can need additional NS, A, AAAA, MX,
 TXT, and SPF records as it considers the STMP Mail From command.

paul and vernon

More information about the ratelimits mailing list