[ratelimits] CH/TXT/id.server queries rate-limited

Vernon Schryver vjs at rhyolite.com
Fri Oct 26 22:14:50 UTC 2012

> From: Jay Daley <jay at nzrs.net.nz>

> Sorry I got confused.  I was not suggesting an independent second
> bucket, which would require the fivefold (or whatever window size is)
> increase but a second limit that is imposed when a rate limit has
> kicked in and the window penalty is now being imposed.  Again, the
> only intention would be to limit sustained attacks.

How does anything one does on the DNS server affect the ability of
the bad guy to sustain an attack?  The bad guy either sends above
the limit(s) and is throttled or doesn't and isn't.

On first blush it sounds interesting to have each bucket earn fewer
than responses-per-second tokens per second.  I think that's
equivalent to adjusting the limit after the limit has been exceeded.

On second thought, it differs too little from simply reducing the limit.


} when memcached is used over the wire it can deliver low hundred
} of microsecond latency:

Low 100's of usec latency which would be a disaster for DNS servers
that are now doing 40K or more qps per box.  See the start of this
thread.  40K qps allows only 25 microseconds per DNS transaction.

} memcached when used on the same server it is even faster but I don't
} have the data any more.

In the local case, memcached is a generalized and so inevitabily
very slow and bloated hash table compared to custom code.
Sometimes a consumer-off-the-shelp database is the best choice for
the application, available talent, time-to-market, and so forth.
Sometimes it's not.

But feel free to prove me wrong by adding rate limiting using memcached
to your favorite DNS server.  Code diversity is a good thing.
If I'm right, you'll find performance (both space and time) "sucks
dead bunnies through a bent straw" as former colleagues liked to say,
and we'll never talk about it.  If you're right and I'm wrong, I'll
be happy, because you will have improved rate limiting at big sites
that use lots of boxes by distributing the blacklist.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list