[ratelimits] RRL patches for 9.8.4 and 9.9.2

Vernon Schryver vjs at rhyolite.com
Mon Oct 22 22:57:32 UTC 2012


> From: Chip Marshall <chip at 2bithacker.net>

> >  UDP responses of all kinds can be limited with the all-per-second
> >  phrase. This rate limiting is similar to the rate limiting offered
> >  by firewalls. When performed in a DNS server it is inferior to the
> >  other rate-limit forms, because it ignores the contents of responses
> >  to a block of IP addresses.
>
> Just wanted to make sure I'm understanding this right. The new knob will
> limit responses of any kind to a client subnet regardless of response
> data or incoming query information?

Yes, except that it affects only UDP responses.

> We've been testing the RRL patches on some of our authoritatives, and
> have found it ineffective against an attack we've been seeing where the
> client IP is fixed but the attack changes qnames often enough to
> circumvent the RRL rate limits. It looks like this new knob would
> address that situation, at the expense of legitimate queries from the
> source IP.

Before trying all-per-second, I would try reducing the responses-per-second
limit.  A very low responses-per-second rate of 5 or 10 should at
worst make legitimate clients retry or use TCP.

An attack that needs to rate limit all traffic from an address block
seems likely to be an attack on the DNS server itself.  Attacks on the
DNS server should be dropped before the DNS server spends resources
making TCP connections or parsing DNS requests, but that kind of rate
limiting must be done before the DNS server sees the requests.

In other words, the new all-per-second knob exists only to answer
popular demand.  I don't think it's a good idea.

  ....

Other changes in the new patch make the logging less verbose.
The per-resonse messages in the queries category are controlled by 
`rndc querylog on/off`
There is a message in the rate-limit category at the start of dropping,
a message every 10 minutes while dropping continues,
and message about 1 minute after the end of dropping.


Vernon Schryver    vjs at rhyolite.com


More information about the ratelimits mailing list