[ratelimits] CH/TXT/id.server queries rate-limited

Jay Daley jay at nzrs.net.nz
Fri Oct 26 02:48:40 UTC 2012 

On 26/10/2012, at 3:35 PM, Vernon Schryver <vjs at rhyolite.com> wrote:

> One problem with that diagnosis is that it assumes many DNS client
> address blocks are running at 10 qps.  Why that particular rate?

I was illustrating a problem that may or may not be applicable in this case, there is insufficient data to tell for sure.  I was also quite specific that this is a problem that occurs only when the qps is near the limited rate.

> There's no cost to a bad guy in modestly overshooting the rate
> limit.  The best tactic is send to plenty of qps to be sure to fill
> the rate limit quota, but not so many that too many of your bots
> are found and cured.
> 
> 
> Instead I think two other things are going on.
> 
> The "stop limiting" messaages should only happen when either
>  - 60 seconds after rate limiting stops

Or are you just talking about the limiting behaviour and not the generation of log messages:

Either you are rate limiting at X qps in which case it should stop in the first second where the traffic is < X or you are actually describing the use of multiple buckets as I described previously.  To put it simply, if you stop limiting 60 seconds later then you are actually talking about X qpm not X qps.


>  - or there is a shortage of rate-limit database entries and fairly recent
>      entries must be recycled.
> Recycling prefers all entries older than 1 second that do not need
> need a "stop limiting" message when they are recycled.  So unless
> there's a bug, I think the DNS server is seeing significantly more
> distinct IP address blocks per second than the 40000 supported by the
> "max-table-size 40000;" clause.
> 
> In other words, even if fence-posting is happening, it should not
> be visible in the log messages.
> 
> Second, more or less legitimate DNS clients stutter naturally when
> rate limited.  When they are rate limited, they pause and generally
> try to slow down until they are not rate limited.  Then they speed
> up and hit the limit again.  You can see this in `repeat XXX dig ....`.
> 
> 
> 
> } From: Jay Daley <jay at nzrs.net.nz>
> 
> } When I've previously implemented rate limiting systems I've found
> } that miscreants get to learn the limits and adjust accordingly. 
> 
> Yes, that is a necessary basic assumption that is too often ignored
> in favor of neat ideas.
> 
> } For example, if I wished to launch a reflection attack then I would not
> } be bothered by a server running a rate limit of 10qps, I would just
> } find 1000 such servers and use all of them at once.  With the current
> } RRL implementation I could happily run this attack for hours or even
> } days.
> 
> On the contrary, whether you use 1 or 1,000,000 sources for your DNS
> amplified reflection DoS attack, all of your packets will have the
> same forged IP source addresses in the address block of your intended
> victim and so will use a single bucket in the BIND9 RRL patch.

I wasn't talking about sources, I was talking about servers - multiple servers from different operators being harnessed simultaneously.

Jay

> 
> Please remember that the BIND9 RRL patch is not intended to defend
> against a DoS attack on a DNS server, although it might in some cases.
> Instead, the BIND9 RRL patch is intended to keep a DNS server from
> being used to attack a third party in a DNS amplified reflection attack.
> 
> Both "amplified" and "reflection" are important aspects of the design
> goal.  Unless you set "slip 0;" the BIND9 RRL patch will reflect or
> send about 50% as many bits to the victim as the bad guy sends to the
> DNS server.  With the default "slip 2;", the patch reduces the "gain"
> of a DNS server in an amplified reflection attack to much less than
> 1.0 and so makes a DNS server uninteresting to bad guys.
> 
> It is easy to imagine scenarios in which a reflection attack with
> a gain of less than 1.0 might be useful, but there other protocols
> with higher gains DNS with the BIND9 RRL patch.  For example,
> consider TCP/IPv6 SYN to port 80.
> 
> 
> } Another benefit of a more general approach like this is that everybody
> } does it differently, which makes it far harder for miscreants to
> } predict cumulative behaviour and use cumulative behaviour to their
> } advantage.
> 
> It's vital to address the problem at hand, amplified reflection DoS,
> instead of other problems, such DoS against DNS servers.
> 
> Second, code diversity is good, but people running big (i.e. multi-box)
> DNS servers have made their strong preference clear.  There must be a
> useful intersection of the parameters and features of all amplified
> reflection DoS rate limiting implementations at a site.
> 
> 
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits


-- 
Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley

More information about the ratelimits mailing list