[ratelimits] ratelimits also for recursive queries?

Paul Vixie paul at redbarn.org
Sun Sep 16 09:15:26 UTC 2012 

On 2012-09-16 8:53 AM, Sven Michels wrote:
> Hi there,
>
> i joined this list, as it seems (at least to me) the right place for my
> question/suggestion.

welcome.

> I found the ratelimits patch and its quite usefull for authorative servers.
> We also see attacks to our public dns servers, which we currently block or
> limit in different ways. Since most of the attacks have the "same pattern",
> which the ratelimit probably could also catch.
> Crrently all attacks usually query a couple of well known domains. If the
> ratelimits patch would be able to "filter" queries which asks rapidly for
> the same (maybe specified) domain and the query is recursive, then we
> probably would catch most of the attack requests.
> Is there some interest in extending the patch that way?

DNS RRL acts in the presence of recursive queries. there's nothing in
the code that prevents this. but my own experience with it is that since
stub resolvers -- that is, normal healthy hosts and laptops and so on
that use a given recursive server for domain name resolution -- will
often repeat queries many times per second without being part of an attack.

thus the threshold for false positive ends up pressing up against the
threshold for false negative, and there's not a big gap between the two
thresholds.

i ended up using DNS RRL on the "DNS Changer" name servers because
people were using them as amplifying reflectors at one point. these
servers were recursive. but i was sure there were no "servers" using
them, just infected Windows desktop and laptop computers. i therefore
set the threshold to 25 identical queries per second and "hoped for the
best". noone complained, but then, my "customers" were all malware
victims and we ended up shutting their DNS off altogether about a month
later. so i wasn't really expecting any complaints.

if you can reasonably expect complaints of "slow internet service" from
your customers or employees using your recursive name server, then
you'll want to be overcautious about turning on DNS RRL in its current
form. we usually recommend that people only turn it on in a
"non-recursive" view (or name server).

it's worth turning it on in "logging only" mode, at 25 queries per
second, to see what it tells you.

note that while normal DNS RRL is hard to bypass even if an attacker
knows it's there, a threshold of 25 or more is high enough that a smart
attacker can still get quite a bit of amplified reflection out of your
server.

paul

More information about the ratelimits mailing list