[ratelimits] CH/TXT/id.server queries rate-limited

Jay Daley jay at nzrs.net.nz
Fri Oct 26 20:55:51 UTC 2012

On 27/10/2012, at 4:02 AM, Vernon Schryver <vjs at rhyolite.com> wrote:

> I was not thinking about increased false positives due only to a window
> 3600 times longer than the 1 second window in the BIND9 RRL patch.
> Instead I was thinking about popularly proposed schemes using bloom
> filters or hash tables without keys that take much less memory but
> that have significant false positive rates by sometimes putting two
> or more distinct responses in a single bucket.

OK, see below about memcached.

> On the contrary, that would increase the number of records by a factor
> of 5 (1 second vesus 5 seconds).  Unlike rate limiting IP packets
> and HTTP client IP addresses, at timescales shorter than DNS TTLs,
> DNS (IP,qname,qtype) streams are almost all single, unique respons/requests.
> They are not streams.  A DNS response rate limiter needs about as many
> buckets as window*qps.  In my code, practically all buckets are discarded
> or recycled after 1 second.  Your code would need to keep all buckets
> for 5 seconds before discard almost all of them with final counts of 1.

Ah, understood.

> Besides, you would get about the same effect on bad guys trying to
> skirting the limit by simply reducing the limit as in:
>    rate-limit {
>        responses-per-second 5;
>        window 5;
>    };

No, that's very different, which is why I was suggesting two buckets.

> A third and even bigger issue is that you're not entirely solving
> a problem that does not yet exist and I doubt will ever exist.
> You're not entirely solving it because the bad guy need only add
> more open resolvers to get below your longer window limit.  I doubt
> the problem will ever exist because of various costs and benefits
> to bad guys of various other tactics.

Hold on.  I was not suggesting this would eliminate attacks, but that it would reduce the length of time any individual server could participate in an attack, therefore increasing the difficulty in maintaining a sustained attack.  I doubt anyone would ever claim to have a silver bullet for entirely solving this problem.

> I understand memcached to be a distributed cache for databases.
> https://code.google.com/p/memcached/wiki/NewOverview
> https://en.wikipedia.org/wiki/Memcached
> That's a good idea for distributing and speeding up databases, but it
> would be a disaster for DNS response rate limiting.  DNS RRL requires
> latencies of tiny numbers of microseconds, because the total work for
> a DNS transaction is a small number of microseconds.  Speeding up a
> distributed database with typical delays of hundreds to several thousand
> microseconds is an entire different problem.  No competitive authoritative
> DNS server implementation delays responses for disk accesses or network
> chitchat.

> That said, there is an aspect of DNS response rate limiting that
> could use some network chitchat for something of a distributed
> database.  Large authoritative DNS servers use lots of computers.
> It would be good if they could share blacklists.

when memcached is used over the wire it can deliver low hundred of microsecond latency:


memcached when used on the same server it is even faster but I don't have the data any more.


> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits

Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley

More information about the ratelimits mailing list