[ratelimits] RRL patches for 9.8.4 and 9.9.2
Chip Marshall
chip at 2bithacker.net
Mon Oct 22 19:41:28 UTC 2012
On 22-Oct-2012, paul vixie <paul at redbarn.org> sent:
> UDP responses of all kinds can be limited with the all-per-second
> phrase. This rate limiting is similar to the rate limiting offered
> by firewalls. When performed in a DNS server it is inferior to the
> other rate-limit forms, because it ignores the contents of responses
> to a block of IP addresses.
Just wanted to make sure I'm understanding this right. The new knob will
limit responses of any kind to a client subnet regardless of response
data or incoming query information?
We've been testing the RRL patches on some of our authoritatives, and
have found it ineffective against an attack we've been seeing where the
client IP is fixed but the attack changes qnames often enough to
circumvent the RRL rate limits. It looks like this new knob would
address that situation, at the expense of legitimate queries from the
source IP.
--
Chip Marshall <chip at 2bithacker.net>
http://weblog.2bithacker.net/ KB1QYW PGP key ID 43C4819E
v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM
More information about the ratelimits
mailing list