[ratelimits] adding "all-responses-per-second X"

sthaug at nethelp.no sthaug at nethelp.no
Sun Sep 16 21:11:29 UTC 2012 

> > Tony Finch recently mentioned DNS reflection amplification attacks
> > spread among many valid domains at an authority server to evade rate
> > limits on individual domains.
> 
> It was Klaus Darilion who said he had observed this kind of attack on his
> servers. I was just speculating about how this kind of attack could be
> mounted. Note that the attack can use many names within a zone as well as
> many zones.

I can confirm this observation. Example from one of our authoritative
servers running 9.8.3-P2 and the ratelimit patch:

16-Sep-2012 16:00:10.825 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY adressa.no
16-Sep-2012 16:00:10.862 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY brreg.no
16-Sep-2012 16:00:11.282 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY ventelo.no
16-Sep-2012 16:00:11.437 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY altinn.no
16-Sep-2012 16:00:11.721 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY bfk.no
16-Sep-2012 16:00:11.827 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY bibits.no
16-Sep-2012 16:00:11.928 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY arrive.no
16-Sep-2012 16:00:12.213 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY fava.no
16-Sep-2012 16:00:12.532 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY mynt.no
16-Sep-2012 16:00:12.561 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY norgeibilder.no
16-Sep-2012 16:00:12.829 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY toi.no
16-Sep-2012 16:00:13.122 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY sparebankenpluss.no
16-Sep-2012 16:00:13.133 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY validus.no
16-Sep-2012 16:00:13.171 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY kongsberg.com
16-Sep-2012 16:00:13.185 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY trumf.no
16-Sep-2012 16:00:13.689 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY eunet.no
16-Sep-2012 16:00:14.318 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY terra.as

(ad nauseam)

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the ratelimits mailing list