[ratelimits] RRL patches for 9.8.4 and 9.9.2
vjs at rhyolite.com
Fri Oct 26 16:34:27 UTC 2012
> From: Chip Marshall <chip at 2bithacker.net>
> > In other words, the new all-per-second knob exists only to
> > answer popular demand. I don't think it's a good idea.
> I can understand that, but in cases where we were previously
> running custom scripts to completely blackhole offending IPs, I
> was considering the all-per-second to be an improvement over
> that. If I can keep the traffic under control with responses-per-
> second, I'd much rather take that route.
I don't understand. Why use elaborate mechanisms like that to impose
simplistic packet rate limits?
Why not shape or limit the incoming port 53 traffic, both UDP and TCP,
to 100 pps?
(far higher than the 5-15 pps rates imposed by BIND9 RRL)
As I tried to say, I think the simplistic packet rate limit of the
new BIND RRL all-per-second knob is better implemented outside BIND
where it can also mitigate other kinds of DoS attacks besides DNS/UDP
amplified reflection attacks.
Is the problem that there is no such thing as a commercial firewall
that can keep enough state (small as it is) to rate limit packets
by IP address block for big DNS servers?
I think I've watched people use ipfw to do a good enough job with
DoS attacks on very well known anti-spam DNS and HTTP servers,
but maybe I'm confused.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits